fix(acceptor): upgrade sspi, use NTLM when no Kerberos

[Guillaume Gelin (ramnes)]

Upgrade sspi to incorporate latest changes. The new version introduces a real SPNEGO implementation in ServerMode::Negotiate, but some RDP clients seem to send raw NTLM tokens in CredSSP rather than SPNEGO-wrapped ones, which doesn't seem supported by sspi yet? In the meantime, we can use ServerMode::Ntlm directly when Kerberos is disabled, so that we maintain compatibility with previous sspi behavior.

Note: I can't get the dependencies right, looks like there's a picky rc.22 / getrandom conflict; any help appreciated here!

[Pavlo Myroniuk (TheBestTvarynka)]

Hi, yes, you are right. Let me add more context for others and for historical reasons 🙃

but some RDP clients seem to send raw NTLM tokens in CredSSP rather than SPNEGO-wrapped ones

Yep. mstsc and FreeRDP do so. I was the one who refactored SPNEGO implementation. We needed to improve SPNEGO to fix these issues: Devolutions/sspi-rs#433 and Devolutions/sspi-rs#476. sspi-rs is not only used for RDP but also for SMB and other protocols. So, we needed proper SPNEGO support.

which doesn't seem supported by sspi yet?

It is supported, but the user (the caller) must specify it explicitly via ClientMode::Ntlm rather than ClientMode::Negotiate. And I see you do exactly this 👍

We can use ServerMode::Ntlm directly when Kerberos is disabled

Currently, that's the only way to do so.