Geek Answers Handbook

NTLM authentication for server-side application

A Windows-based application written in C ++ (mainly an HTTP / 1.1 proxy server) listens for requests from different users. Currently, he can send 407 Basic Challenge and process the response from the headers. I know that I have to change the task headers so that client browsers make an NTLM based response for authentication purposes. But my question is: how can I create the correct markers, nonce, etc. For the Challenge Authentication Challenge 407, and then how to check the correctness of the answers received? Finally, I would like to write down the username and other LDAP / ADS properties, if possible.

Please be kind and redirect me to the correct posts if there are already any topics that discuss something like that. Most of the research on the WWW leads me only to client programming, very little, or almost no one, to the coding that should be done on an HTTP server.

All of you wonderful hacks here, BIG thanks in advance.

+4
source share
5 answers

Short answer: I think that Using SSPI with Windows Sockets Server is your best starting place and it should demonstrate the basic SSPI challenges you need. It is written for a simple TCP server, but call / response data is sent via HTTP without too much difficulty.

[MS-N2HT]: Negotiation Protocol and Nego2 HTTP

The second recommendation of the mod_auth_sspi recommendation for Apache code

Personally, I would also like to try connecting a low-level debugger to IIS and see how it goes about calling SSPI functions, but it might not be your cup of tea.

Once you get to SSPI, getting a username should be part of the cake (but ask if you need help). User LDAP / AD properties can be requested using these APIs.

The long answer implies a small read:

Integrated Windows Authentication on Wikipedia

Kerberos and NTLM HTTP authentication based on SPNEG in Microsoft Windows

HTTP cross-platform authentication through negotiation protocol (part 1 of 3)

Part 3 also has some interesting code examples.

Hope this helps!

+7
source

Here is the code in httpauth that can help you. It uses smbval code to parse NTLM messages 1 and 3. See: http://memberwebs.com/stef/software/httpauth/

+2
source

You can find inspiration by looking at the mod_auth_sspi Apache module

+1
source

After some struggle, I managed to go this far: On my proxy server, I can challenge clients for Basic / NTLM authentication. When the user performs a β€œbasic” response, I can verify the credentials using SSPI. This documentation helped: http://support.microsoft.com/kb/180548

However, I just can't get the call and answers on NTLM. Basically, I can tickle a client to select an NTLM-based authentication system on the 407 Proxy-authenicate, which basically requires 3 messages. The first message should be an NTLM-based request sent by the client, the second should be a call from my server, and the third message will be from the client. Now the problem is, "How do I generate an NTLM call and then decrypt or evaluate the NTLM authorization, i.e. Message 3.

And many thanks to Marsh and other good hacks for all the efforts you made to respond. I can only hope that you will want to share some more.

+1
source

this is a Java implementation that you may find useful

http://www.luigidragone.com/networking/ntlm.html

and, more useful, is an attempt to document the ntlm undocumented schema

http://www.innovation.ch/personal/ronald/ntlm.html

0
source

More articles:


All Articles