NTLM authentication for a web server side application

Question

My Windows based application written in C++ ( basically an HTTP/1.1 proxy server) listens for requests from various users. Presently it is able to send a 407 Basic Challenge, and process the response from the Headers. I know I must modify the challenge headers, so that the client browsers make an NTLM based response for the purpose of authentication. But my question is - how do I generate the correct tokens, nonce, etc. for the 407 Authentication Challenge, and then how do I validate if the received responses are correct? Finally I would like to record the client's username and other LDAP / ADS properties if possible.

Please be kind, and redirect me to the correct posts if there are already any threads that discuss something similar. Most research on the WWW leads me only to the client-side programming, very little or almost none - for the coding that must be done in the HTTP server.

All of you great hacks around here, a BIG thanks in advance.

Answer 1

The short answer is that I think this Using SSPI with a Windows Sockets Server sample is your best starting place and it should demonstrate the basic SSPI calls you need. It's written for a plain TCP server, but the challenge/response data is sent over HTTP without much extra complexity.

[MS-N2HT]: Negotiate and Nego2 HTTP Authentication Protocol

I second the recommendation of reviewing the mod_auth_sspi for Apache code

Personally, I would also try attaching a low-level debugger to IIS and see how he goes about calling the SSPI functions, but that may not be your cup of tea.

After you've gotten that far with SSPI, obtaining the username should be a piece of cake (but ask if you need help). LDAP/AD properties for the user can be queried with those APIs.

The long answer involves little light reading:

Integrated Windows Authentication in Wikipedia

SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

HTTP-Based Cross-Platform Authentication via the Negotiate Protocol (Part 1 of 3)

Part 3 has some interesting code samples as well.

Hope this helps!

Answer 2

There's code in httpauth which could help you. It uses smbval code to parse NTLM message 1 and 3. See: http://memberwebs.com/stef/software/httpauth/

Answer 3

After some struggle I have managed to come this far: On my Proxy Server I can challenge clients for Basic / NTLM authentication. When the user makes a "Basic" response, I can validate the credentials using SSPI. This documentation helped: http://support.microsoft.com/kb/180548

However I am just not able to get the NTLM based challenge and responses completed. Basically I am able to "tickle" the client to select the NTLM based authentication system by 407 Proxy-authenicate, which basically requires 3 messages. The first message has to be an NTLM based request sent by the client, the second would be a challenge from my server, and the third message would be from the client. Now the problem is "How do I generate the NTLM challenge, and then decipher or valiate the NTLM authorisation i.e. message 3.

And a lot of thanks to Marsh and the other good hacks, for all the efforts, you took to make the response. I can only hope you may be willing to share a bit more.

Answer 4

this is a java implementation which you might find useful

http://www.luigidragone.com/networking/ntlm.html

and, more useful indeed, an atempt to document the undocumented ntlm scheme

http://www.innovation.ch/personal/ronald/ntlm.html

Answer 5

You may find inspiration by looking at the mod_auth_sspi Apache module