How to write an NTLM Authentication Module?

Question

I would need to write an Authentication Module for IIS7 that behaves exactly like NTLM, but does some extra checking. The Module does NTLM against Active Directory (so that the module knows if the user is OK) and then needs to call another service to finally verify access.

I have to do this in an Authentication Module because the actual content on the IIS WebSite is served through a custom IIS Module that's a Black Box to me and I can't modify the client since that's also a Black Box. Also, I cannot use Windows Security Groups as the service I need to call has it's own User Database.

I found this article about writing a custom Authentication provider, but I don't really know how I can verify the user against Active Directory/Windows.

Does anyone have some hints how I could implement NTLM? Doesn't have to be IIS Centric, my problem is more "What do I get from the Client's Browser and how do I verify it"?

Answer 1

What you are describing does not sound like an Authentication Provider, it sounds like you want to write an Authorization Provider. For that I would handle the AuthorizeRequest and use the HttpContext.User that will already have a valid Windows Authentication token (assuming you enabled windows authentication). At that point you can use IsUserInRole and other APIs to get additional data from ActiveDirectory or use System.DirectoryServices to get additional data. Just make sure that you do some caching since going to AD for every single request might be a performance issue. At least IIS will handle the Windows Auth for you which does have a cache.

Answer 2

Look at Waffle, which does all the motions in Java. So you would backport this into another language/infrastructure.