go to  ForumEasy.com   
JavaPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Single Sign-On (SSO) » NTLM HTTP Authentication
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: NTLM HTTP Authentication
authen
member
offline   
 
posts: 56
joined: 06/05/2006
from: San Diego, CA
  posted on: 06/08/2006 01:14:44 AM    Edit  |   Quote  |   Report 
NTLM HTTP Authentication
Here is a practical NTLM authentication example via HTTP

Client: MS Internet Explorer 6.0
Server: MS IIS v6

1. Client --> Server
             GET / HTTP/1.1



2. Client <-- Server
          HTTP/1.1 401 Unauthorized
          WWW-Authenticate: Negotiate
          WWW-Authenticate: NTLM
          WWW-Authenticate: Basic realm="mydomain.com"



3. Client --> Server

          GET / HTTP/1.1
          Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=


TYPE 1 NTLM Message:
0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 --- NTLMSSP
0x01 0x00 0x00 0x00 --- Type 1
0x07 0x82 0x00 0xa0 --- Flags
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 --- workstation domain
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 --- workstation name
0x00 --- data block
            Flags: 0xa0008207
                1... .... .... .... .... .... .... .... = Negotiate 56: Set
                .0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                .... ..0. .... .... .... .... .... .... = Negotiate 0x02000000: Not set
                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set
                .... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set
                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                .... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set
                .... .... .... 0... .... .... .... .... = Negotiate NTLM2 key: Not set
                .... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set
                .... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set
                .... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set
                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                .... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
                .... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
                .... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
                .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set
                .... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                .... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
                .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                .... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
                .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
                .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                .... .... .... .... .... .... .... .1.. = Request Target: Set
                .... .... .... .... .... .... .... ..1. = Negotiate OEM: Set
                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set



4. Client <-- Server
          HTTP/1.1 401 Unauthorized
          Content-Length: 1539
          Content-Type: text/html
          WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABAAE...


TYPE 2 NTLM Message:
0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 --- NTLMSSP
0x02 0x00 0x00 0x00 --- Type 2
0x04 0x00 0x04 0x00 0x38 0x00 0x00 0x00 --- Target Name
-- Length: 4
-- Maxlen: 4
-- Offset: 56
0x05 0x82 0x81 0xa2 --- Flags
0xd9 0x3f 0xf5 0x0e 0x0d 0x82 0x93 0x1a --- NTLM Challenge
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 --- Context (Reserved)
0xcc 0x00 0xcc 0x00 0x3c 0x00 0x00 0x00 --- Target Information
-- Length: 204
-- Maxlen: 204
-- Offset: 60
0x05 0x02 0xce 0x0e 0x00 0x00 0x00 0x0f --- start of data block
(Target Domain NetBIOS Name)
(Target Information Address List:
Domain NetBIOS Name: SALES
Server NetBIOS Name: MY_IIS_SEREVR
Domain DNS Name: sales.mycompany.com
Server DNS Name: my_iis_server.sales.mycompany.com
0x00 0x00 0x00 0x00 --- List Terminator
)

            Flags: 0xa2818205
                1... .... .... .... .... .... .... .... = Negotiate 56: Set
                .0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set
                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set
                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set
                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set
                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set
                .... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set
                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set
                .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set
                .... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set
                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set
                .... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set
                .... .... .... 0... .... .... .... .... = Negotiate NTLM2 key: Not set
                .... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set
                .... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set
                .... .... .... ...1 .... .... .... .... = Negotiate Challenge Init Response: Set
                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set
                .... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set
                .... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set
                .... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set
                .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set
                .... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set
                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set
                .... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set
                .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set
                .... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set
                .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set
                .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set
                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set
                .... .... .... .... .... .... .... .1.. = Request Target: Set
                .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set
                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set



5. Client --> Server
          GET / HTTP/1.1
          Authorization: Negotiate TlRMTVNTUAADAAAAGAAYA...


TYPE 3 NTLM Message:
0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 --- NTLMSSP
0x03 0x00 0x00 0x00 --- Type 3
0x18 0x00 0x18 0x00 0x84 0x00 0x00 0x00 --- LM Response
-- Length: 24
-- Maxlen: 24
-- Offset: 132
0x18 0x00 0x18 0x00 0x9c 0x00 0x00 0x00 --- NTLM Response
-- Length: 24
-- Maxlen: 24
-- Offset: 156
0x2e 0x00 0x2e 0x00 0x40 0x00 0x00 0x00 --- Domain Name
-- Length: 46
-- Maxlen: 46
-- Offset: 64
0x0a 0x00 0x0a 0x00 0x6e 0x00 0x00 0x00 --- User Name
-- Length: 10
-- Maxlen: 10
-- Offset: 110
0x0c 0x00 0x0c 0x00 0x78 0x00 0x00 0x00 --- Workstation/Host Name
-- Length: 12
-- Maxlen: 12
-- Offset: 120
0x00 0x00 0x00 0x00 0xb4 0x00 0x00 0x00 --- Session Key
-- Length: 0
-- Maxlen: 0
-- Offset: 180
0x05 0x82 0x80 0xa0 --- Flags
( --- start of data block
Domain Name: develop.mycompany.com
User Name: james
Host Name: HOST01
LM Response: 0x6F3033F7D69A37F62FC5C91A0D2DAC34366E8D213A6E705D
NTLM Response: 0x2AA9839F594E32381BBEA990920E441FBA30946EF3B7DFDE
)


6. Client <-- Server
          HTTP/1.1 200 OK


or, if failed,
          HTTP/1.1 401 Unauthorized
          WWW-Authenticate: Negotiate
          WWW-Authenticate: NTLM
          WWW-Authenticate: Basic realm="mydomain.com"


 Profile | Reply Points Earned: 0
authen
member
offline   
 
posts: 56
joined: 06/05/2006
from: San Diego, CA
  posted on: 06/02/2010 01:36:36 PM    Edit  |   Quote  |   Report 
Client Settings to Trigger NTLM or Negotiate
If your client applications (most likely the Internet browser for HTTP) are not set properly, the NTLM or Negotiate authentication mechanism may not be triggered and fired. Here are two major factors:

1) Method: Specify which authentication mechanism you are expecting
To configure Internet Explorer to initiate NTLM or Negotiate authentication mechanism with your website, go to Tools > Internet Options > Security > Local intranet > Custom Level > User Authentication. Select Automatic logon only in Intranet zone.

2) Target: Specify which sites are going to be considered as the zone which will use the mechanism you just defined
For the browser to initiate authentication mechanism other than basic, the website must be in the "Local Intranet". Internet Explorer may detect this automatically but it may be necessary to explicitly add your site to the list of trusted Intranet sites.

To configure Internet Explorer to initiate NTLM or Negotiate authentication mechanism with your website, go to Tools > Internet Options > Security > Local intranet > Sites > Advanced. Add the target site (or a wildcard expression that matches the target site) to this list. Some examples of values for this list are:
  • http://www.example.com -- Trust one specific site for SSO

  • www.example.com -- Trust the specific site using either HTTP or HTTPS.

  • *.example.com -- Trust all sites under the example.com domain.



  •  Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 06/02/2010 01:44:24 PM    Edit  |   Quote  |   Report 
    Client Settings to Trigger SSO
    The above configuration is sufficient to perform NTLM authentication but, by itself, it is probably not sufficient to perform SSO. SSO is when the client's browser automatically authenticates the user without asking for credentials again. There are several conditions required for SSO to occur:

  • 1. The user must be logged into the workstation using their domain credentials.

  • 2. The browser must support NTLM HTTP authentication.

  • 3. The URL used to visit the site must be a fully qualified DNS hostname. A NetBIOS name, the special "localhost" name or an IP address3 may not work as expected.


  •  Profile | Reply Points Earned: 0
    authen
    member
    offline   
     
    posts: 56
    joined: 06/05/2006
    from: San Diego, CA
      posted on: 06/02/2010 06:21:54 PM    Edit  |   Quote  |   Report 
    Client Bulk Settings -- Adding Trusted Sites using Group Policy Objects (GPO)

    A Group Policy Object (GPO) can be used to add your website to the trusted intranet zones of all IE clients in a domain. Otherwise, it will be necessary to modify each client's security settings manually.

    To add trusted sites using a GPO, Launch Active Directory Users and Computers (ADUC), right click on the domain the clients are in, select Properties > Group Policy > New, type in a name for the GPO (like "IE Security Settings") and then select Edit > User Configuration > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings. Select Import the current security zones and privacy settings > Modify Settings > Trusted Sites > Sites and add your server's websites just as you would on a client. Then wait for the policy to propagate throughout the whole domain.

     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.