1. First we need to check that we have an SPNEGO compatible Curl installed:
$ curl -V curl 7.81.0 (x86_64-w64-mingw32) libcurl/7.81.0 OpenSSL/1.1.1m (Schannel) zlib/1.2.11 brotli/1.0.9 zstd/1.5.2 libidn2/2.3.1 libssh2/1.10.0 nghttp2/1.46.0 Release-Date: 2022-01-05 Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI TLS-SRP zstd
Here we can see that the SPNEGO feature is available
2. Next we need to create a credentials cache for Curl to use
kinit <username> Password for <username>@<domain.com>: <password>
Here we create a “authentication token” and put it in a credentials cache fรถr Curl, and any other program ie. SoapUI and others, to use. ‘username’ is the name of the user. This can be omitted, and if so the default user and domain (user that runs the command) will be used instead. The ‘kinit’ command will ask for the password associated with the user. After this has been inputed the token is created
3. After that we run Curl with the following options:
curl --negotiate -u : https://a-spnego-protected-site/data-i-want-to-access
–negotiate will trigger SPNEGO behaviour
-u is needed but is left blank. On some sites though I have had to put <domain\user> to get it to work
:
Curl will now use the token in the credentials cache to authenticate against the web resource
Troubleshooting commands:
klist - lists all current tokens with the expiry timestamps in the cache kdestroy - remove a ticket from the credentials cache
Tested with Curl v7.81.0 in GitBash on a Windows 10 with Java 1.8.0_301