ntlm interview questions
Top ntlm frequently asked interview questions
I know there's a lot of questions on SO similar to this, but I couldn't find one for this particular issue.
A couple of points, first:
- I have no control over our Sharepoint server. I cannot tweak any IIS settings.
- I believe our IIS server version is IIS 7.0.
- Our Sharepoint Server is anticipating requests via NTLM.
- Our Sharepoint Server is on the same domain as my client computer.
- I am using .NET Framework 3.5, Visual Studio 2008
I am trying to write a simple console app to manipulate Sharepoint data using Sharepoint Web Services. I have added the Service Reference, and the following is my app.config:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ListsSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://subdomain.companysite.com/subsite/_vti_bin/Lists.asmx"
binding="basicHttpBinding" bindingConfiguration="ListsSoap"
contract="ServiceReference1.ListsSoap" name="ListsSoap" />
</client>
</system.serviceModel>
This is my code:
static void Main(string[] args)
{
using (var client = new ListsSoapClient())
{
client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password", "domain");
client.GetListCollection();
}
}
When I call GetListCollection(), the following MessageSecurityException gets thrown:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'.
The authentication header received from the server was 'NTLM'.
With an inner WebException:
"The remote server returned an error: (401) Unauthorized."
I've tried various bindings and various code tweaks to try to authenticate properly, but to no avail. I'll list those below.
I've tried the following steps:
Using a native Win32 Impersonator before creating the client
using (new Impersonator.Impersonator("username", "password", "domain"))
using (var client = new ListsSoapClient())
{
client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("dpincas", "password", "domain");
client.GetListCollection();
}
This produced the same error message.
Setting TokenImpersonationLevel for my client credentials
using (var client = new ListsSoapClient())
{
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
client.GetListCollection();
}
This produced the same error message.
Using security mode=TransportCredentialOnly
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
This resulted in a different error message:
The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: via
However, I need to use https, so I cannot change my URI scheme.
I've tried some other combinations that I can't remember, but I'll post them when I do. I'm really at wits end here. I see a lot of links on Google that say "switch to Kerberos", but my server seems to only be accepting NTLM, not "Negotiate" (as it would say if it was looking for Kerberos), so that is unfortunately not an option.
Any help out there, folks?
Source: (StackOverflow)
I've created one WCF service and deployed it on Server. When I browse this service it gives me positive response with ?wsdl URL. Now I'm trying to test the service through WCF Test client. It shows proper metadata. But when I try to invoke any of the method from the service it shows me an exception... here are the erro details with stack trace..
The HTTP request is unauthorized with
client authentication scheme
'Anonymous'. The authentication header
received from the server was
'Negotiate,NTLM'.
Server stack trace:
at
System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest
request, HttpWebResponse response,
WebException responseException,
HttpChannelFactory factory)
The HTTP request is unauthorized with client
authentication scheme 'Anonymous'. The
authentication header received from
the server was 'Negotiate,NTLM'.
Server stack trace:
at
System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest
request, HttpWebResponse response,
WebException responseException,
HttpChannelFactory factory)
Client Bindings:
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IServiceMagicService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="None">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Server Bindings:
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_SEOService" closeTimeout="00:10:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="true" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="999524288" maxReceivedMessageSize="655360000" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="900000" maxArrayLength="900000" maxBytesPerRead="900000" maxNameTableCharCount="900000" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="None">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="true" />
</security>
</binding>
<binding name="WSHttpServiceMagicBinding" closeTimeout="00:10:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="true" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="999524288" maxReceivedMessageSize="655360000" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="900000" maxArrayLength="900000" maxBytesPerRead="900000" maxNameTableCharCount="900000"/>
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
<security mode="None">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Client's Client Section:
<client>
<endpoint address="http://hydwebd02.solutions.com/GeoService.Saveology.com/ServiceMagicService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IServiceMagicService"
contract="IServiceMagicService" name="WSHttpBinding_IServiceMagicService" />
</client>
Server's Services Section:
<services>
<service behaviorConfiguration="GeoService.Saveology.com.CityStateServiceProviderBehavior"
name="GeoService.Saveology.com.CityStateServiceProvider">
<endpoint binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_SEOService"
contract="SEO.Common.ServiceContract.ICityStateService" />
<endpoint address="mex" binding="mexHttpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
</service>
<service behaviorConfiguration="GeoService.Saveology.com.ServiceMagicServiceProviderBehavior"
name="GeoService.Saveology.com.ServiceMagicServiceProvider">
<endpoint binding="wsHttpBinding" bindingConfiguration="WSHttpServiceMagicBinding"
contract="SEO.Common.ServiceContract.IServiceMagicService">
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" bindingConfiguration="" contract="IMetadataExchange" />
</service>
</services>
Source: (StackOverflow)
I am trying to use System.Net.WebClient in a WinForms application to upload a file to an IIS6 server which has Windows Authentication as
it only 'Authentication' method.
WebClient myWebClient = new WebClient();
myWebClient.Credentials = new System.Net.NetworkCredential(@"boxname\peter", "mypassword");
byte[] responseArray = myWebClient.UploadFile("http://localhost/upload.aspx", fileName);
I get a 'The remote server returned an error: (401) Unauthorized', actually it is a 401.2
Both client and IIS are on the same Windows Server 2003 Dev machine.
When I try to open the page in Firefox and enter the same correct credentials as in the code, the page comes up.
However when using IE8, I get the same 401.2 error.
Tried Chrome and Opera and they both work.
I have 'Enable Integrated Windows Authentication' enabled in the IE Internet options.
The Security Event Log has a Failure Audit:
Logon Failure:
Reason: An error occurred during logon
User Name: peter
Domain: boxname
Logon Type: 3
Logon Process: ÈùÄ
Authentication Package: NTLM
Workstation Name: boxname
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 1476
I used Process Monitor and Fiddler to investigate but to no avail.
Why would this work for 3rd party browsers but not with IE or System.Net.WebClient?
Source: (StackOverflow)
I have PHP 5.6.17 and Apache 2.4.10 running on Debian 8.
I want to populate the PHP variable $_SERVER['REMOTE_USER'] with the Windows username, to log in the user if the username is in my database. I'm comfortable with the security risks involved in this method, as this will only be exposed on a local network.
Here is what I did in my Apache vhost definition:
<LocationMatch "/login/ssologin">
PerlAuthenHandler Apache2::AuthenNTLM
AuthBasicAuthoritative on
AuthType ntlm
AuthName "hello"
Require valid-user
PerlAddVar ntdomain "my.local"
PerlSetVar defaultdomain my.local
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmauthoritative off
PerlSetVar ntlmdebug 1
</LocationMatch>
I put the URL into the trusted sites on Internet Explorer, but I was still prompted for basic authentication.
What did I miss?
My only goal is to get the username of the windows session. Is there another, easier way?
Source: (StackOverflow)
Hello,
I am currently writing a client to access a Microsoft Exchange server and read contacts, appointments etc. from it.
Through days of searching I've been able to connect to the EWS via PHP's Soap client and a custom HTTPS Stream wrapper. This website helped me greatly at this point.
Everything worked fine on my Windows 7 machine using XAMPP
Now I uploaded my project to a Debian 6.0 Squeeze development machine that has exactly the same configuration as my Windows machine regarding the web-server, php settings, mysql settings etc. but it just wont work anymore
The debian machine can resolve and ping the exchange server without problems
I nailed the actual problem down to a point, where cURL isn't able to retrieve the WSDL file of the EWS
It always receives an empty response and a 401 (Unauthorized) status code
The credentials I use are correct, the same credentials work on my windows machine
I extracted the faulty piece of code and tried running it stand-alone, it looks like this:
echo "Trying to get https://".$cfg[ 'Exchange.Server' ]."/EWS/Services.wsdl<br>";
$curl = curl_init( 'https://'.$cfg[ 'Exchange.Server' ].'/EWS/Services.wsdl' );
curl_setopt( $curl, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1 );
curl_setopt( $curl, CURLOPT_HTTPAUTH, CURLAUTH_NTLM );
curl_setopt( $curl, CURLOPT_USERPWD, $cfg[ 'Exchange.User' ].':'.$cfg[ 'Exchange.Password' ] );
curl_setopt( $curl, CURLOPT_SSL_VERIFYPEER, false );
curl_setopt( $curl, CURLOPT_SSL_VERIFYHOST, false );
echo '<pre>';
$response = curl_exec( $curl );
$info = curl_getinfo( $curl );
var_dump( $info );
var_dump( $response );
curl_close( $curl );
The result I receive here is the mentioned 401 status code and an empty response
When I call the same url in my browser or with the same code on my windows machine, I get the WSDL file I want
Actually I can't even tell if this is a linux-based problem or if I do something wrong at some point, I'm struggling with this for 2 days now.
Is there someone that may be able to find my mistake or tell me the reason why it doesn't work?
I may provide any further needed information on demand
Source: (StackOverflow)
I am behind a proxy at work (using NTLM authentication). Whenever I load up a page, my Firebug console gets flooded with messages like this:
"NetworkError: 407 Proxy Authentication Required - http://somewebsite/Scripts/jquery-1.8.2.min.js"
It does that for all URLs referenced on that page: JS, CSS, Image, whatnot.
The annoying thing is that the file is actually successfully loaded. It seems that Firefox hits the 407 Error, spams the log and then loads it anyway with the NTLM credentials.
Is there any way I can stop these useless errors from showing up, so they don't drown out the console messages I'm actually interested in?
Source: (StackOverflow)
I try to access a Sharepoint list via JAX-WS as described here
However, when running the code below I get:
java.lang.Exception: Exception. See stacktrace.com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized
Sharepoint requires NTLM authentication. What may be the problem? Thanks a lot!
public static ListsSoap sharePointListsAuth(String userName, String password) throws Exception {
ListsSoap port = null;
if (userName != null && password != null) {
try {
Lists service = new Lists();
port = service.getListsSoap();
System.out.println("Web Service Auth Username: " + userName);
((BindingProvider) port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, userName);
((BindingProvider) port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
} catch (Exception e) {
throw new Exception("Error: " + e.toString());
}
} else {
throw new Exception("Couldn't authenticate: Invalid connection details given.");
}
return port;
}
Source: (StackOverflow)
I write and host web applications on Windows servers for intranet usage. My server stack uses Sinatra (which uses Rack), Thin, and (in some cases) Apache for reverse-proxying only.
I want to support Single Sign-on (using NTLM or Kerberos) within our ActiveDirectory-backed domain. I have seen that I can use mod_ntlm or mod_auth_kerb when I'm behind Apache to perform my NTLM authentication. I haven't tried this yet, but I assume it will work.
My question is about NTLM or Kerberos authentication when I'm not behind Apache, using only Thin and Sinatra. I've seen rack-ntlm, but the usage details there are exceedingly sparse.
Please provide known-working code under Sinatra or Rack that shows how to use NTLM or Kerberos on the server-side, authenticating with ActiveDirectory (presumably via net-ldap).
Edit: Emphasized the desired answers, as no answers so far come close to providing the explicit help this question is asking for. Users should be able to find this answer and have a working solution, not pointers to external libraries that they must figure out how to use.
Source: (StackOverflow)
I've tried both using export http_proxy=http://[username]:[pwd]@[proxy] and git config --global http.proxy http://[username]:[pwd]@[proxy].
I couldn't make it work. It looks like git uses Basic authentication:
Initialized empty Git repository in /home/.../.git/
* Couldn't find host github.com in the .netrc file, using defaults
* About to connect() to github.com port 8080 (#0)
* Trying 10.... * Connected to github.com (10....) port 8080 (#0)
* Proxy auth using Basic with user '...'
> GET http://github.com/sunlightlabs/fiftystates.git/info/refs HTTP/1.1
Proxy-Authorization: Basic MD...
User-Agent: git/1.6.1.2
Host: github.com
Pragma: no-cache
Accept: */*
Proxy-Connection: Keep-Alive
< HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to t
he Web Proxy filter is denied. )
< Via: 1.1 ...
< Proxy-Authenticate: Negotiate
< Proxy-Authenticate: Kerberos
< Proxy-Authenticate: NTLM
< Connection: Keep-Alive
< Proxy-Connection: Keep-Alive
< Pragma: no-cache
< Cache-Control: no-cache
< Content-Type: text/html
< Content-Length: 4118
* The requested URL returned error: 407
* Closing connection #0
fatal: http://github.com/sunlightlabs/fiftystates.git/info/refs download error - The requested URL returned error: 407
Google search returned mixed and probably not updated results. Somewhere it says that curl is (was?) used under the hood, but its options are (were?) hardwired into code. For example,
curl --proxy-ntlm --proxy ...:8080 google.com
works, and I'd like to use the same option with git.
I need some more definite answers here: has anybody succeed using git through Windows proxies? Which version?
Thanks.
Source: (StackOverflow)
I am trying to open an http connection to an url protected with the NTLM authentication scheme. This code has been working correctly for 2 year when we were on Java 6.I wrote a small java program which access that particular url to make the test case as simple as possible.
The problem is that I am unable to make the program work on linux and when using versions of the JDK 7. Java tries 20 times to access the URL and then I get an error telling me that the server redirected too many times. It works fine with linux and JDK 6, and in windows 7 with JDK 6 or 7.
I checked and tried the solution listed here (and many others) : Getting "java.net.ProtocolException: Server redirected too many times" Error. It didn't work. I also have to add that when accessing the url from a browser, I can see that there are no cookies involved.
Here is the exact detail of the os/java versions that I have tried :
Success:
- Windows 7: Java(TM) SE Runtime Environment (build 1.7.0_15-b03) (64 bit)
- Windows 7: Java(TM) SE Runtime Environment (build 1.7.0_10-b18) (64 bit)
- Windows 7: Java(TM) SE Runtime Environment (build 1.6.0_33-b04) (64 bit)
- Redhat enterprise linux 6.4: Java(TM) SE Runtime Environment (build 1.6.0_33-b04) (64 bit)
Fail:
- Redhat enterprise linux 6.4: Java(TM) SE Runtime Environment (build 1.7.0-b147) (64 bit)
- Redhat enterprise linux 6.4: Java(TM) SE Runtime Environment (build 1.7.0_05-b06) (64 bit)
- Redhat enterprise linux 6.4: Java(TM) SE Runtime Environment (build 1.7.0_13-b20) (64 bit)
- Redhat enterprise linux 6.4: Java(TM) SE Runtime Environment (build 1.7.0_15-b03) (64 bit)
When the program works, I see the authentication methods that were used and the document that I am trying to download as the output:
Scheme:Negotiate
Scheme:ntlm
.... document content ....
Done
When it fails, I have the following output :
Scheme:Negotiate
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
Scheme:ntlm
java.net.ProtocolException: Server redirected too many times (20)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1635)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at TestWs.testWs(TestWs.java:67)
at TestWs.main(TestWs.java:20)
Here is the source code of the program:
package com.test;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.Authenticator;
import java.net.CookieHandler;
import java.net.CookieManager;
import java.net.CookiePolicy;
import java.net.PasswordAuthentication;
import java.net.URL;
import java.net.URLConnection;
public class TestWs {
public static void main(String[] args) throws Exception {
new TestWs().testWs();
}
public void testWs() {
try {
CookieHandler.setDefault(new CookieManager(null, CookiePolicy.ACCEPT_ALL));
Authenticator.setDefault(new MyAuthenticator("username", "password"));
URL url = new URL("https://someurlprotectedbyntlmauthentication.com");
URLConnection connection = url.openConnection();
InputStream is = connection.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);
while (true) {
String s = br.readLine();
if (s == null)
break;
System.out.println(s);
}
System.out.println("Done");
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
class MyAuthenticator extends Authenticator {
private String httpUsername;
private String httpPassword;
public MyAuthenticator(String httpUsername, String httpPassword) {
this.httpUsername = httpUsername;
this.httpPassword = httpPassword;
}
@Override
protected PasswordAuthentication getPasswordAuthentication() {
System.out.println("Scheme:" + getRequestingScheme());
return new PasswordAuthentication(httpUsername, httpPassword.toCharArray());
}
}
Any help would be greatly appreciated.
UPDATE:
After some more investigation, I found that the authentication works if I use a domain user, but not if I use a local user.
This code from the JDK 7 causes me troubles (class com.sun.security.ntlm.Client) :
public byte[] type3(byte[] type2, byte[] nonce) throws NTLMException {
if (type2 == null || (v != Version.NTLM && nonce == null)) {
throw new NullPointerException("type2 and nonce cannot be null");
}
debug("NTLM Client: Type 2 received\n");
debug(type2);
Reader r = new Reader(type2);
byte[] challenge = r.readBytes(24, 8);
int inputFlags = r.readInt(20);
boolean unicode = (inputFlags & 1) == 1;
String domainFromServer = r.readSecurityBuffer(12, unicode);
if (domainFromServer != null) {
domain = domainFromServer;
}
So, since the server is enroled in a domain, it sends back to the client it's domain as part of the NTLM protocol. Java replaces the domain that I'm trying to force by the variable "domainFromServer" everytime and it fails since the user exists on the server and not on the server's domain.
I don't know exactly what to do with that.
Source: (StackOverflow)
I am working on a Single Sign-On (SSO) PHP application.
Users log in their Windows session, and they want to be automatically logged in the application with their Windows account (connected with LDAP Active Directory).
I tried this script :
<?php
$headers = apache_request_headers(); // Récupération des l'entêtes client
if (@$_SERVER['HTTP_VIA'] != NULL){ // nous verifions si un proxy est utilisé : parceque l'identification par ntlm ne peut pas passer par un proxy
echo "Proxy bypass!";
} elseif(!isset($headers['Authorization'])) { //si l'entete autorisation est inexistante
header( "HTTP/1.0 401 Unauthorized" ); //envoi au client le mode d'identification
header( "WWW-Authenticate: NTLM" ); //dans notre cas le NTLM
exit; //on quitte
}
if(isset($headers['Authorization'])) //dans le cas d'une authorisation (identification)
{
if(substr($headers['Authorization'],0,5) == 'NTLM '){ // on vérifit que le client soit en NTLM
$chaine=$headers['Authorization'];
$chaine=substr($chaine, 5); // recuperation du base64-encoded type1 message
$chained64=base64_decode($chaine); // decodage base64 dans $chained64
if(ord($chained64{8}) == 1){
// |_ byte signifiant l'etape du processus d'identification (etape 3)
// verification du drapeau NTLM "0xb2" à l'offset 13 dans le message type-1-message (comp ie 5.5+) :
if (ord($chained64[13]) != 178){
echo "NTLM Flag error!";
exit;
}
$retAuth = "NTLMSSP".chr(000).chr(002).chr(000).chr(000).chr(000).chr(000).chr(000).chr(000);
$retAuth .= chr(000).chr(040).chr(000).chr(000).chr(000).chr(001).chr(130).chr(000).chr(000);
$retAuth .= chr(000).chr(002).chr(002).chr(002).chr(000).chr(000).chr(000).chr(000).chr(000);
$retAuth .= chr(000).chr(000).chr(000).chr(000).chr(000).chr(000).chr(000);
$retAuth64 =base64_encode($retAuth); // encode en base64
$retAuth64 = trim($retAuth64); // enleve les espaces de debut et de fin
header( "HTTP/1.0 401 Unauthorized" ); // envoi le nouveau header
header( "WWW-Authenticate: NTLM $retAuth64" ); // avec l'identification supplémentaire
exit;
} else if(ord($chained64{8}) == 3) {
// |_ byte signifiant l'etape du processus d'identification (etape 5)
// on recupere le domaine
$lenght_domain = (ord($chained64[31])*256 + ord($chained64[30])); // longueur du domain
$offset_domain = (ord($chained64[33])*256 + ord($chained64[32])); // position du domain.
$domain = str_replace("\0","",substr($chained64, $offset_domain, $lenght_domain)); // decoupage du du domain
//le login
$lenght_login = (ord($chained64[39])*256 + ord($chained64[38])); // longueur du login.
$offset_login = (ord($chained64[41])*256 + ord($chained64[40])); // position du login.
$login = str_replace("\0","",substr($chained64, $offset_login, $lenght_login)); // decoupage du login
$lenght_host = (ord($chained64[47])*256 + ord($chained64[46]));
$offset_host = (ord($chained64[49])*256 + ord($chained64[48]));
$host = str_replace("\0","",substr($chained64, $offset_host, $lenght_host));
if ( $login != NULL){
echo $login;
} else {
echo "NT Login empty!";
}
}
}
}
?>
This script is working on this configuration :
- Windows server 2003
- Apache 2.2 with module mod_auth_sspi
But now I need to implement this on this configuration and it does not work :
- Windows server 2008
- Apache 2.4.6 with module mod_authnz_sspi
I keep getting "NTLM Flag error!", because of this condition :
if (ord($chained64[13]) != 178){
echo "NTLM Flag error!";
exit;
}
I tried :
if (ord($chained64[13]) != 130){
because ord($chained64[13]) returns 130, but I can not go in this condition :
} else if(ord($chained64{8}) == 3) {
$lenght_domain = (ord($chained64[31])*256 + ord($chained64[30])); // longueur du domain
$offset_domain = (ord($chained64[33])*256 + ord($chained64[32])); // position du domain.
$domain = str_replace("\0","",substr($chained64, $offset_domain, $lenght_domain)); // decoupage du du domain
//le login
$lenght_login = (ord($chained64[39])*256 + ord($chained64[38])); // longueur du login.
$offset_login = (ord($chained64[41])*256 + ord($chained64[40])); // position du login.
$login = str_replace("\0","",substr($chained64, $offset_login, $lenght_login)); // decoupage du login
$lenght_host = (ord($chained64[47])*256 + ord($chained64[46]));
$offset_host = (ord($chained64[49])*256 + ord($chained64[48]));
$host = str_replace("\0","",substr($chained64, $offset_host, $lenght_host));
if ( $login != NULL){
echo $login;
} else {
echo "NT Login empty!";
}
}
Because ord($chained64{8}) always returns 1.
Edit 2015-05-11 :
I tried executing the 'whoami' command in php, like this : echo exec('whoami'); -> when I execute this command in cmd.exe, I get the current logged user, but when I execute it in PHP, I get nt_authority/system.
I supposed that when PHP executes the 'whoami' command, Windows checks the login of Apache service. I went into Apache properties, in the 'Log On' tab, to log on as a valid user of the Active Directory. But then, when PHP executes echo exec('whoami');, I only get the login used for Apache, and not the current user.
I am using Internet Explorer 8 to execute the PHP script.
I have this in my Apache httpd.conf (_PATH_ is the path to my php files, maybe this is wrong ?) :
<Directory "E:/_PATH_">
Options None
AllowOverride All
Order allow,deny
Allow from all
AuthName "SSPI Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
Require valid-user
</Directory>
Edit 2015-05-12 :
I am logged as a domain user on the machine
When I try with Firefox, I get a prompt for a login and a password. When I post the prompt, the script gets the login from the prompt, but this is not what I want to do : I have to get this to work with IE, and I don't want to type again login and password. I want the login of the current Windows session.
In Firefox, I went into about:config to set network.automatic-ntlm-auth.trusted-uris to my domain, thanks to @ThaDafinser. Now I do not get a prompt anymore in Firefox and everything works, but I always need to make it work on IE.
In IE, I set Local Intranet Security to the lowest, but nothing changed.
In IE, "Automatic logon with current user name and password" is checked for Local Intranet & Trusted Sites.
When I force IE to ask credentials in a prompt, if I post the prompt, IE does not return the credentials, contrary to Firefox.
Edit 2015-05-13 :
I added the URL to trusted sites in IE, nothing changed.
I set security to low for trusted sites, nothing changed.
I unchecked "Use HTTP 1.1 through proxy connections" in IE > Internet Options > Advanced, I still can not have session informations on Internet Explorer, even if I use the prompt.
I added the full URL in Internet Explorer > Internet Options > Security > Local Intranet > Sites > Advanced
In Internet Explorer > Internet Options > Security > Local Intranet > Sites > Advanced, I also added the same part of the domain (mycompany.com) than I have added in Firefox to make it work, but this did not help.
Edit 2015-05-18 :
Changed my httpd.conf to be compatible with Apache 2.4, according to what @timclutton said in his answer :
<Directory "E:/_PATH_">
Require all denied
AllowOverride All
Options None
AuthName "SSPI Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
Require valid-user
Require user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Directory>
Edit 2015-05-19 :
I tried to set a basic authentication intead of SSPI and it does not work.
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "E:/PATH/.htpasswd"
Require valid-user
Order allow,deny
Allow from all
Source: (StackOverflow)
I am trying to configure NTLM authentication, but receive error:
cvc-complex-type.2.4.c: The matching wildcard is strict, but no
declaration can be found for element 'http'.
I read a lot of topics with a similar error, but I could not find a solution to my problem.
My security.xml file that causes an error is:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd" >
<http access-denied-page="forms/error403.jsp" entry-point-ref="ntlmEntryPoint" servlet-api-provision="false">
<intercept-url pattern="forms/error403.jsp" filters="none"/>
<intercept-url pattern="forms/**" access="ROLE_GUEST,ROLE_OPERATOR,ROLE_ADMIN" />
<custom-filter position="PRE_AUTH_FILTER"/>
</http>
<authentication-manager alias="mainAuthenticationManager"/>
<authentication-provider user-service-ref='userDetailsService' />
<beans:bean id="userDetailsService"
class="service.UserInfoService">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="usersByUsernameQuery" value="select distinct name, ' ' as password, 1 as enabled from TMP_SPRING_USERS where name=?" />
<beans:property name="authoritiesByUsernameQuery" value="select name, role from TMP_SPRING_USERS where name=?" />
</beans:bean>
<beans:bean id="ntlmEntryPoint"
class="org.springframework.security.ui.ntlm.NtlmProcessingFilterEntryPoint">
<beans:property name="authenticationFailureUrl" value="forms/error403.html" />
</beans:bean>
<beans:bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<beans:property name="authenticationEntryPoint" ref="ntlmEntryPoint" />
</beans:bean>
<beans:bean id="ntlmFilter"
class="org.springframework.security.ui.ntlm.NtlmProcessingFilter">
<custom-filter position="NTLM_FILTER" />
<beans:property name="authenticationManager" ref="mainAuthenticationManager" />
<beans:property name="retryOnAuthFailure" value="true" />
<beans:property name="stripDomain" value="true"/>
<beans:property name="domainController" value="company.com" />
<beans:property name="jcifsProperties">
<beans:props>
<beans:prop key="jcifs.smb.lmCompatibility">0</beans:prop>
<beans:prop key="jcifs.smb.client.useExtendedSecurity">false</beans:prop>
<beans:prop key="jcifs.smb.client.domain">COMPANY</beans:prop>
<beans:prop key="jcifs.smb.client.username">somenycuser</beans:prop>
<beans:prop key="jcifs.smb.client.password">AReallyLoooongRandomPassword</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
</beans:beans>
Because as of version 3.X Spring Security doesn't include the NTLM extension anymore, I use it from http://aloiscochard.blogspot.com/2010/03/spring-security-ntlm-3.html article.
Please help me.
Source: (StackOverflow)
An IIS7 Intranet site with Windows Authentication enabled. When hit from Chrome on windows the pass-through authentication works fine (no User / Password prompt), however, Chrome on a Mac you get a prompt. Since the internal network uses CAC/PKI no one has a password.
I've tried toggling the Windows Authentication on the site to negotiate, but same user/pass prompt.
appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']
Anyone know a solution for Chrome on OS X?
EDIT
OS X 10.6.8
Centrify for Mac will be used to authenticate to the (Windows 2008 R2 ActiveDirectory) network via CAC.
EDIT 2
There is a proxy setup, but it gets bypassed for local intranet sites, so I don't think it is playing a role.
Also tried using the --auth-server-whitelist command line switch, didn't work.
EDIT 3
SOLUTION
open 'Google Chrome.app' --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"
Unfortunately Google Chrome for Mac has no way of specifying command line arguments on every load, so some sort of shell script will need to be made.
Running the following shell script at log in was the final solution to get around Chrome updates and extra doc icons.
#!/bin/bash
cd /Applications/Google\ Chrome.app/Contents/MacOS/
if [ -f 'Google Chrome.bin' ];
then
echo "Already Modified"
else
sudo chmod u+wr ./
sudo mv 'Google Chrome' 'Google Chrome.bin'
sudo echo "#!/bin/bash" > "Google Chrome"
sudo echo 'exec /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.bin --args --auth-server-whitelist="*DOMAIN.TLD" --auth-negotiate-delegate-whitelist="*DOMAIN.TLD" --auth-schemes="digest,ntlm,negotiate"' >> "Google Chrome"
sudo chmod a+x 'Google Chrome'
echo "NTLM Will now work in chrome"
fi
Source: (StackOverflow)
Trying to mirror a local intranet site and have found previous questions using 'wget'. It works great with sites that are anonymous, but I have not been able to use it against a site that is expecting username\password (IIS with Integrated Windows Authentication).
Here is what I pass in:
wget -c --http-user='domain\user' --http-password=pwd http://local/site -dv
Here is the debug output (note I replaced some with dummy values obviously):
Setting --verbose (verbose) to 1
DEBUG output created by Wget 1.11.4 on Windows-MSVC.
--2009-07-14 09:39:04-- http://local/site
Host `local' has not issued a general basic challenge.
Resolving local... seconds 0.00, x.x.x.x
Caching local => x.x.x.x
Connecting to local|x.x.x.x|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003e32b0 (new refcount 1).
---request begin---
GET /site/ HTTP/1.0
User-Agent: Wget/1.11.4
Accept: */*
Host: local
Connection: Keep-Alive
---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.1
Date: Tue, 14 Jul 2009 13:39:04 GMT
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Content-Length: 4431
Content-Type: text/html
---response end---
401 Access Denied
Closed fd 1896
Unknown authentication scheme.
Authorization failed.
Source: (StackOverflow)
The release notes for NuGet 1.5 state
NuGet now supports connecting to private repositories that require basic
or NTLM authentication.
However, the link contained in there simply leads to the hosting your own nuget feeds page, without any further mention of how to set up authentication.
I would like to set up a NuGet server that is accessible via https from the internet, but only allows people who can successfully authenticate to view or download the packages on the server.
I did create an application without auth as described in the Creating Remote Feeds section in the documentation, and it works nicely on the intranet. What do I have to do to enable authentication on this repo?
An additional requirement would be that solution should not cost hundreds of dollars (the first two answers promote products that might solve the problem but cost a lot).
Source: (StackOverflow)