views:

927

answers:

5

My Windows based application written in C++ ( basically an HTTP/1.1 proxy server) listens for requests from various users. Presently it is able to send a 407 Basic Challenge, and process the response from the Headers. I know I must modify the challenge headers, so that the client browsers make an NTLM based response for the purpose of authentication. But my question is - how do I generate the correct tokens, nonce, etc. for the 407 Authentication Challenge, and then how do I validate if the received responses are correct? Finally I would like to record the client's username and other LDAP / ADS properties if possible.

Please be kind, and redirect me to the correct posts if there are already any threads that discuss something similar. Most research on the WWW leads me only to the client-side programming, very little or almost none - for the coding that must be done in the HTTP server.

All of you great hacks around here, a BIG thanks in advance.

+1  A: 

You may find inspiration by looking at the mod_auth_sspi Apache module

Éric Malenfant
+2  A: 

The short answer is that I think this code sample http://msdn.microsoft.com/en-us/library/aa380537(VS.85).aspx is your best starting place and it should demonstrate the basic SSPI calls you need. It's written for a plain TCP server, but the challenge/response data is sent over HTTP without much extra complexity.

[MS-N2HT]: Negotiate and Nego2 HTTP Authentication Protocol http://msdn.microsoft.com/en-us/library/dd303576(PROT.10).aspx

I second the recommendation of reviewing the mod_auto_sspi for Apache code: http://mod-auth-sspi.svn.sourceforge.net/viewvc/mod-auth-sspi/src/

Personally, I would also try attaching a low-level debugger to IIS and see how he goes about calling the SSPI functions, but that may not be your cup of tea.

After you've gotten that far with SSPI, obtaining the username should be a piece of cake (but ask if you need help). LDAP/AD properties for the user can be queried with those APIs.

The long answer involves little light reading:

http://en.wikipedia.org/wiki/Integrated_Windows_Authentication

SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows http://tools.ietf.org/html/rfc4559

HTTP-Based Cross-Platform Authentication via the Negotiate Protocol (Part 1 of 3) http://msdn.microsoft.com/en-us/library/ms995329.aspx Part 3 has some interesting code samples as well.

Hope this helps!

Marsh Ray
A: 

this is a java implementation which you might find useful

http://www.luigidragone.com/networking/ntlm.html

and, more useful indeed, an atempt to document the undocumented ntlm scheme

http://www.innovation.ch/personal/ronald/ntlm.html

opensas
+1  A: 

After some struggle I have managed to come this far: On my Proxy Server I can challenge clients for Basic / NTLM authentication. When the user makes a "Basic" response, I can validate the credentials using SSPI. This documentation helped: http://support.microsoft.com/kb/180548

However I am just not able to get the NTLM based challenge and responses completed. Basically I am able to "tickle" the client to select the NTLM based authentication system by 407 Proxy-authenicate, which basically requires 3 messages. The first message has to be an NTLM based request sent by the client, the second would be a challenge from my server, and the third message would be from the client. Now the problem is "How do I generate the NTLM challenge, and then decipher or valiate the NTLM authorisation i.e. message 3.

And a lot of thanks to Marsh and the other good hacks, for all the efforts, you took to make the response. I can only hope you may be willing to share a bit more.

mdk
+1  A: 

There's code in httpauth which could help you. It uses smbval code to parse NTLM message 1 and 3. See: http://memberwebs.com/stef/software/httpauth/

Stef
httpauth might have been pretty much usable, but unfortunately the documentation is not enough. Nonetheless it looks very promising. The docs folder in it contains a protocols.txt but requires one to hack a lot!I am still playing with it, and I don't know if it really works. But if it does, it can get the guys in the squid / samba cartel to jump out of their socks! I am sure there's more people like me who wish it really works!
mdk
I checked out httpauth, for NTLM authentication for the linux based version of my proxy server. It's a great solution to use, much better than ntlm_auth + winbind solution, and definitely much more elegant. Definitely it's kind of a solution that one would want to use along-side multi-threaded applications. Haven't yet investigated the idea of re-using parts of the codes from httpauth. Caution - httpauth doesn't inherently support proxy-authenticate headers, so proxy applications must do a bit of additional work.
mdk