Reputation: 3674
Windows Authentication Headers without .NET. Possible?
I was wondering if anyone knew of a way to use Windows Authentication without hosting on an ASP site. It's an intranet w/ access to LDAP, so I'm wondering if there's a way to force the client to provide me the data as if it was coming from an ASP site. I just need the login domain and username and I can run from there. Using Node.js on Ubuntu. Anyone have any experience with this?
Upvotes: 5
Views: 8220
Answers (4)
Reputation: 144912
Update: There's now a module that implements Windows-integrated authentication.
In your 401 response, you need to provide a WWW-Authenticate header with a value of NTLM, which informs browsers that they need to send Windows credentials.
response.writeHead(401, {
'WWW-Authenticate': 'NTLM',
});
You then have the fun of implementing NTLM authentication. Quoting from this document about the NTLM authentication protocol:
The client requests a protected resource from the server:
GET /index.html HTTP/1.1The server responds with a
401status, indicating that the client must authenticate.NTLMis presented as a supported authentication mechanism via theWWW-Authenticateheader. Typically, the server closes the connection at this time:HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM Connection: closeNote that Internet Explorer will only select NTLM if it is the first mechanism offered; this is at odds with RFC 2616, which states that the client must select the strongest supported authentication scheme.
The client resubmits the request with an
Authorizationheader containing a Type 1 message parameter. The Type 1 message is Base-64 encoded for transmission. From this point forward, the connection is kept open; closing the connection requires reauthentication of subsequent requests. This implies that the server and client must support persistent connections, via either the HTTP 1.0-style "Keep-Alive" header or HTTP 1.1 (in which persistent connections are employed by default). The relevant request headers appear as follows:GET /index.html HTTP/1.1 Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1JLU1RBVElPTkRPTUFJTg==The server replies with a
401status containing a Type 2 message in theWWW-Authenticateheader (again, Base-64 encoded). This is shown below.HTTP/1.1 401 Unauthorized WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAASNFZ4mrze8AAAAAAAAAAGIAYgA8AAAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTAEUAUgBWAEUAUgAEABQAZABvAG0AYQBpAG4ALgBjAG8AbQADACIAcwBlAHIAdgBlAHIALgBkAG8AbQBhAGkAbgAuAGMAbwBtAAAAAAA=The client responds to the Type 2 message by resubmitting the request with an
Authorizationheader containing a Base-64 encoded Type 3 message:GET /index.html HTTP/1.1 Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABAAAAACAAIAEwAAAAWABYAVAAAAAAAAACaAAAAAQIAAEQATwBNAEEASQBOAHUAcwBlAHIAVwBPAFIASwBTAFQAQQBUAEkATwBOAMM3zVy9RPyXgqZnr21CfG3mfCDC0+d8ViWpjBwx6BhHRmspst9GgPOZWPuMITqcxg==Finally, the server validates the responses in the client's Type 3 message and allows access to the resource.
HTTP/1.1 200 OK
It should be easy enough to get the user's username – it's sent as plain text in the Type 3 message. Actually validating that they've supplied the correct password is another matter entirely. Implementing all of this is left as an exercise for the reader.
Upvotes: 10
Reputation: 1439
If you are using Ubuntu, do a
sudo apt-get ntlmaps or download 'ntlmaps-xx-xx.deb'
and configure your proxy which would ask you for your domain, username and password.
Then run ntlmaps as your proxy. Ntlmaps will authenticate using your username and password. You write any program ntlmaps will authenticate your program automatically using your given configuration details. However there are few things you need to configure as well after installing ntlmaps. First let me know if is this something you are looking for?
Upvotes: 0
Reputation: 14579
You can use an NTLM module in Apache, or you can setup a script under IIS to capture the login information and POST it over to your node.js site.
Upvotes: 0
Reputation: 77271
Try Apache mod_ntlm or mod_auth_ntlm_winbind.
In Ubuntu:
[email protected]:~# apt-cache search ntlm apache
libapache2-authenntlm-perl - Perform Microsoft NTLM and Basic User Authentication
[email protected]:~# apt-cache show libapache2-authenntlm-perl
Package: libapache2-authenntlm-perl
Priority: optional
Section: universe/perl
Installed-Size: 192
Maintainer: Ubuntu MOTU Developers <[email protected]>
Original-Maintainer: Debian Perl Group <[email protected]>
Architecture: amd64
Version: 0.02-5
Depends: libapache2-mod-perl2, libc6 (>= 2.4), perl (>= 5.10.0-9), perlapi-5.10.0
Conflicts: libauthen-smb-perl (<= 0.96)
Filename: pool/universe/liba/libapache2-authenntlm-perl/libapache2-authenntlm-perl_0.02-5_amd64.deb
Size: 51418
MD5sum: 46f74ac156f7006d8d71ddbf00097e46
SHA1: 133aebf896156929d364950c2772c3e1344b9c9b
SHA256: 0688b38ab145f888a4d111aad12cb7f201dcd6e12ed969af697d3fec4a55c428
Description: Perform Microsoft NTLM and Basic User Authentication
The purpose of this module is to perform a user authentication via Microsoft's
NTLM protocol. This protocol is supported by all versions of the Internet
Explorer and is mainly useful for intranets. Depending on your preferences
setting IE will supply your windows logon credentials to the web server
when the server asks for NTLM authentication. This saves the user to type in
his/her password again.
.
The NTLM protocol performs a challenge/response to exchange a random number
(nonce) and get back a md4 hash, which is built from the user's password
and the nonce. This makes sure that no password goes over the wire in plain
text.
.
The main advantage of the Perl implementation is, that it can be easily
extended to verify the user/password against other sources than a windows
domain controller.
.
The default implementation is to go to the domain controller for the given
domain and verify the user. If you want to verify the user against another
source, you can inherit from Apache2::AuthenNTLM and override it's methods.
Homepage: http://search.cpan.org/dist/Apache2-AuthenNTLM
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Upvotes: 0
Related Questions
- node.js HTTP request with automatic ntlm / kerberos authentication
- Nodejs or ExpressJS Windows Authentication
- Windows Integrated Authentication in node.js Client
- How can I get LOGON_USER info from windows auth without having the username password prompt appear?
- Window Authentication Using Node JS on Linux
- Check if Windows Username and Password is correct in NodeJs
- Is it possible to use Windows integrated auth without IIS?
- Can I create a native windows desktop application using Node.js
- NTLM authentication using node.js
- Windows Authentication via Web Request C++ / Node.js