Answering my own question as a continuation, as I was not satisfied with some answers and / or what I could find during an extensive search.
After a lot of research, looking at the Exchange servers, how they authenticate, and supports protocols and is used, I found what I consider the best option :. NTLM
Now let me explain.
The goal I was trying to achieve was the following:
- Authentication on Exchange 2007+
- For authentication to be a โone-time setupโ through the initial process
- Never store text passwords (especially in the central data warehouse of the platform / service)
Given these comments:
- I could not use "Basic" auth, since I would have to store the user's password in text form in a central data warehouse
- OAuth does not work because it is only supported on Exchange 2013 +
With this, I really only stayed with NTLM. Unfortunately, I know that NTLM has a rude history with security flaws over this long-standing legacy, but I went into it more to understand how capable of satisfying my requirements.
Unfortunately, NTLM has been kept a bit "secret" for a long time in terms of specification. This is a proprietary specification, so the information about its internals is, unfortunately, rather unusual. Over time, the only real source of specification information regarding NTLM was actually Information that was reverse engineered (thanks to Eric Glass!) . Fortunately, Microsoft has finally begun publishing NTLM documentation on its MSDN website recently .
Looking through the protocol quite a bit, and after running some tests on the Exchange test server in many different configuration permutations, I realized that NTLM would meet all my requirements. How? Well, thanks to the way that the protocol works when the credentials are hashed (in one of the 3 ways that you can in the specification [LM, NTv1, NTv2]), you do not have to hash again for the same purpose . This means that, like hashing a user password for a typical login mechanism, you can simply request the Exchange / NTLM credentials up and then the hash credentials once.
Attention!!! Got a catch!
Keep in mind that the ability to hash credentials once and use it multiple times means that the hash is the "equivalent of a password." What I mean is that the hash can be used as a password as soon as it is known, since this is one of the only pieces of information needed for authentication in the future. (This is commonly known as "pass-the-hash" ).
However, given the alternative to storing the password in text form, this is still much better. What for? Since, at least, you do not store raw credentials that can be used in any other authentication scheme, or a password leak that can be transmitted in other environments (yes, unfortunately, people really do).
Given this knowledge, great care must still be taken when storing these hashed credentials. Finally, if you can use another stronger authentication scheme, use it.
Thus, due to the fact that the NTLM protocol works, it meets the requirements of:
- Authentication on Exchange 2007+
- NTLM is available on all Exchange 2007 + servers
- For authentication to be a one-time setup through the initial process
- Credentials and targets need to be entered only once, because after the initial connection with the server, you will find out that the auth scheme works. (This, of course, does not take into account that the remote configuration of the Exchange server can be changed at any time. Therefore, the correct error handling must still be implemented in place).
- Never store text passwords (especially in the central data warehouse of the platform / service)
- Hashed credentials are saved. However, great caution should be exercised when using the double encryption method due to the โcatchโ explained in the previous note.
Anyway, I hope someone else finds this at some point, so they donโt need to do as much reading and experimenting with the specification as I should have.
Also, what is it worth for, since I noticed that open source NTLM implementations are not only rare, but also most often half full, my team opened our NTLM implementation in PHP. It is available on GitHub .