Reputation: 3333
NTLM authentication over HTTP
I am wondering if we are using NTLM (Windows) authentication - how server determines if user is already logged on or not. So when I first time access the site - the server tells me he want to authenticate me via NTLM:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Then client and server exchanging few requests - actually challenge/response phase happens here, particularly server generates and sends challenge to client, client calculates response based on it and sends back, and then server contact Domain Controller to verify it. Ok, we're done.
But when I am authenticated and go to any page, there are no any authentication headers anymore. How does server know that I'm already authenticated?
P.S. I thought IIS ties client by MAC or IP but indeed that's not true. NTLM works for single browser. Also no NTLM specific cookies were found.
Upvotes: 5
Views: 16756
Answers (1)
Reputation: 11222
NTLM over http is using HTTP persistent connection or http keep-alive.
A single connection is created and then kept open for the rest of the session.
If using the same authenticated connection, it is not necessary to send the authentication headers anymore.
This is also the reason why NTLM doesn't work with certain proxy servers that don't support keep-alive connections.
Upvotes: 7
Related Questions
- Use NTLM Authentication in Web Request in .NET Core
- How to test a HTTP client using NTLM authentication?
- NTLM over HTTP: Any C# client implementation?
- Intranet website authentication using windows logon
- How do I use NTLM authentication with Active Directory
- c# application with http interface needs to implement NTLM authentication
- HttpWebRequest 401 with NTLM Authenticiation
- Active Directory and NTLM Authentication
- Active Directory + HTTP Authentication
- Soap NTLM Authorization