Author |
Topic: NTLM HTTP Authentication |
|
authen member offline |
|
posts: |
56 |
joined: |
06/05/2006 |
from: |
San Diego, CA |
|
|
|
|
|
NTLM HTTP Authentication |
Here is a practical NTLM authentication example via HTTP
Client: MS Internet Explorer 6.0 Server: MS IIS v6
1. Client --> Server
2. Client <-- Server
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="mydomain.com"
3. Client --> Server
GET / HTTP/1.1
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=
TYPE 1 NTLM Message: 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 --- NTLMSSP 0x01 0x00 0x00 0x00 --- Type 1 0x07 0x82 0x00 0xa0 --- Flags 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 --- workstation domain 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 --- workstation name 0x00 --- data block
Flags: 0xa0008207
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..0. .... .... .... .... .... .... = Negotiate 0x02000000: Not set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
.... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set
.... .... .... 0... .... .... .... .... = Negotiate NTLM2 key: Not set
.... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set
.... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set
.... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
.... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
.... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
.... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
.... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ..1. = Negotiate OEM: Set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
4. Client <-- Server
HTTP/1.1 401 Unauthorized
Content-Length: 1539
Content-Type: text/html
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABAAE...
TYPE 2 NTLM Message: 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 --- NTLMSSP 0x02 0x00 0x00 0x00 --- Type 2 0x04 0x00 0x04 0x00 0x38 0x00 0x00 0x00 --- Target Name -- Length: 4 -- Maxlen: 4 -- Offset: 56 0x05 0x82 0x81 0xa2 --- Flags 0xd9 0x3f 0xf5 0x0e 0x0d 0x82 0x93 0x1a --- NTLM Challenge 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 --- Context (Reserved) 0xcc 0x00 0xcc 0x00 0x3c 0x00 0x00 0x00 --- Target Information -- Length: 204 -- Maxlen: 204 -- Offset: 60 0x05 0x02 0xce 0x0e 0x00 0x00 0x00 0x0f --- start of data block (Target Domain NetBIOS Name) (Target Information Address List: Domain NetBIOS Name: SALES Server NetBIOS Name: MY_IIS_SEREVR Domain DNS Name: sales.mycompany.com Server DNS Name: my_iis_server.sales.mycompany.com 0x00 0x00 0x00 0x00 --- List Terminator )
Flags: 0xa2818205
1... .... .... .... .... .... .... .... = Negotiate 56: Set
.0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
..1. .... .... .... .... .... .... .... = Negotiate 128: Set
...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
.... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
.... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
.... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
.... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
.... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
.... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set
.... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
.... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set
.... .... .... 0... .... .... .... .... = Negotiate NTLM2 key: Not set
.... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set
.... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set
.... .... .... ...1 .... .... .... .... = Negotiate Challenge Init Response: Set
.... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
.... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
.... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
.... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
.... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set
.... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
.... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
.... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
.... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
.... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
.... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
.... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
.... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
.... .... .... .... .... .... .... .1.. = Request Target: Set
.... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
.... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set
5. Client --> Server
GET / HTTP/1.1
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYA...
TYPE 3 NTLM Message: 0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 --- NTLMSSP 0x03 0x00 0x00 0x00 --- Type 3 0x18 0x00 0x18 0x00 0x84 0x00 0x00 0x00 --- LM Response -- Length: 24 -- Maxlen: 24 -- Offset: 132 0x18 0x00 0x18 0x00 0x9c 0x00 0x00 0x00 --- NTLM Response -- Length: 24 -- Maxlen: 24 -- Offset: 156 0x2e 0x00 0x2e 0x00 0x40 0x00 0x00 0x00 --- Domain Name -- Length: 46 -- Maxlen: 46 -- Offset: 64 0x0a 0x00 0x0a 0x00 0x6e 0x00 0x00 0x00 --- User Name -- Length: 10 -- Maxlen: 10 -- Offset: 110 0x0c 0x00 0x0c 0x00 0x78 0x00 0x00 0x00 --- Workstation/Host Name -- Length: 12 -- Maxlen: 12 -- Offset: 120 0x00 0x00 0x00 0x00 0xb4 0x00 0x00 0x00 --- Session Key -- Length: 0 -- Maxlen: 0 -- Offset: 180 0x05 0x82 0x80 0xa0 --- Flags ( --- start of data block Domain Name: develop.mycompany.com User Name: james Host Name: HOST01 LM Response: 0x6F3033F7D69A37F62FC5C91A0D2DAC34366E8D213A6E705D NTLM Response: 0x2AA9839F594E32381BBEA990920E441FBA30946EF3B7DFDE )
6. Client <-- Server
or, if failed,
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="mydomain.com"
|
|
|
|
|
|
|
authen member offline |
|
posts: |
56 |
joined: |
06/05/2006 |
from: |
San Diego, CA |
|
|
|
|
|
Client Settings to Trigger NTLM or Negotiate |
If your client applications (most likely the Internet browser for HTTP) are not set properly, the NTLM or Negotiate authentication mechanism may not be triggered and fired. Here are two major factors:
1) Method: Specify which authentication mechanism you are expecting To configure Internet Explorer to initiate NTLM or Negotiate authentication mechanism with your website, go to Tools > Internet Options > Security > Local intranet > Custom Level > User Authentication. Select Automatic logon only in Intranet zone.
2) Target: Specify which sites are going to be considered as the zone which will use the mechanism you just defined For the browser to initiate authentication mechanism other than basic, the website must be in the "Local Intranet". Internet Explorer may detect this automatically but it may be necessary to explicitly add your site to the list of trusted Intranet sites.
To configure Internet Explorer to initiate NTLM or Negotiate authentication mechanism with your website, go to Tools > Internet Options > Security > Local intranet > Sites > Advanced. Add the target site (or a wildcard expression that matches the target site) to this list. Some examples of values for this list are: http://www.example.com -- Trust one specific site for SSO www.example.com -- Trust the specific site using either HTTP or HTTPS. *.example.com -- Trust all sites under the example.com domain.
|
|
|
|
|
|
|
authen member offline |
|
posts: |
56 |
joined: |
06/05/2006 |
from: |
San Diego, CA |
|
|
|
|
|
Client Settings to Trigger SSO |
The above configuration is sufficient to perform NTLM authentication but, by itself, it is probably not sufficient to perform SSO. SSO is when the client's browser automatically authenticates the user without asking for credentials again. There are several conditions required for SSO to occur:
1. The user must be logged into the workstation using their domain credentials. 2. The browser must support NTLM HTTP authentication. 3. The URL used to visit the site must be a fully qualified DNS hostname. A NetBIOS name, the special "localhost" name or an IP address3 may not work as expected.
|
|
|
|
|
|
|
authen member offline |
|
posts: |
56 |
joined: |
06/05/2006 |
from: |
San Diego, CA |
|
|
|
|
|
Client Bulk Settings -- Adding Trusted Sites using Group Policy Objects (GPO) |
A Group Policy Object (GPO) can be used to add your website to the trusted intranet zones of all IE clients in a domain. Otherwise, it will be necessary to modify each client's security settings manually.
To add trusted sites using a GPO, Launch Active Directory Users and Computers (ADUC), right click on the domain the clients are in, select Properties > Group Policy > New, type in a name for the GPO (like "IE Security Settings") and then select Edit > User Configuration > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings. Select Import the current security zones and privacy settings > Modify Settings > Trusted Sites > Sites and add your server's websites just as you would on a client. Then wait for the policy to propagate throughout the whole domain.
|
|
|
|
|
|
|
|