Geek Answers Handbook

How to test HTTP client using NTLM authentication?

I have code that works as an HTTP client that supports basic authentication as well as NTLM authentication. I can easily test this basic authentication by requiring the username / password to access the file in .htaccess on the Apache server. But how can I test NTLM authentication apart from installing IIS? Are there any public HTTP servers that accept NTLM authentication?

+4
source share
2 answers

As you already understood, since NTLM is a proprietary authentication protocol (which does not have official public documentation provided by Microsoft), you will either have to test the actual IIS server running on Windows, or you can try and mock the authentication scheme using the data obtained from documentation, for example:

NTLM Authentication System for HTTP

You will not find many public HTTP servers (if any) on the Internet with which you can test. NTLM authentication is typically deployed for corporate use, for example, for Active Directory authentication, and is most often locked behind corporate VPNs.

I would bite a bullet and run a Windows instance (Microsoft allowed you to download a large number of 120-day trial versions of Windows 2008, etc.) in a virtual machine and test them.

+3
source

I searched the same question ("how to configure nmlm proxy dummy server") and found this. So here is my solution on how to configure NTLM authentication forwarding for a proxy server, without using Microsoft's IIS server. Instead, we will use Apache httpd.exe

  • Download the Apache Apache 2.4.29 HTTP Server. I used 32 bit version (VC14) binaries from ApacheHaus
  • Download the appropriate Mod Auth NTLM module for, in my case mod_authn_ntml-1.0.8-2.4.x-x86-vc14.zip
  • Install the server and module and configure everything to start the server, and you will see the default web page when you go to your local host.

  • Now edit the conf / httpd.conf configuration file again and make the following changes:

     #Make sure to load at least the modules, and their dependencies: LoadModule headers_module modules/mod_headers.so LoadModule info_module modules/mod_info.so LoadModule ldap_module modules/mod_ldap.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule request_module modules/mod_request.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule status_module modules/mod_status.so #add the new module LoadModule auth_ntlm_module modules/mod_authn_ntlm.so

Enable proxy server. Be warned, you can open an open proxy server on the Internet ...

  ProxyVia On ProxyRequests On <Proxy "*"> AuthName "Private location" AuthType SSPI NTLMAuth On NTLMAuthoritative On <RequireAll> <RequireAny> Require valid-user #require sspi-user EMEA\group_name </RequireAny> <RequireNone> Require user "ANONYMOUS LOGON" Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG" </RequireNone> </RequireAll> </Proxy>

Or, if you just want to protect only one directory, you can copy the code from the mod_authn_ntml configuration example:

  <Location /testDirectory > AuthName "Private location for testing NTLM authentication" AuthType SSPI NTLMAuth On NTLMAuthoritative On <RequireAll> <RequireAny> Require valid-user #require sspi-user EMEA\group_name </RequireAny> <RequireNone> Require user "ANONYMOUS LOGON" Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG" </RequireNone> </RequireAll> # use this to add the authenticated username to you header # so any backend system can fetch the current user # rewrite_module needs to be loaded then RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e </Location>

  1. To capture the local loopback stream and debug what happens, you need to install Wireshark 2.4.4, and then the special driver npcap-0.97.exe loopback-capture. With this, you can sniff the traffic between your browser and your local web server.

    1. If you want to use NTLM authentication for the proxy server, you will need to follow the tips from the mod_ntlmn_auth GitHub page and set the DisableLoopbackCheck flag to the registry (see https://support.microsoft.com/en-us/kb/896861 ), otherwise In this case, all local authentication requests will fail.

    2. Configure your browser to use the local IP address as a proxy server. If everything works, the browser will send your credentials in the background.

    3. To find out what is happening, you can now check your Wireshark logs, as well as the Apache / access.log logs showing you the domain \ User that was used for authentication.

I hope someone helps to check their proxy scripts, because a lot of proxy software that I come across cannot properly handle NTLM proxies, which is important in a business environment.

0
source

More articles:


All Articles