Web 服务器端应用程序的 NTLM 身份验证
我用 C++ 编写的基于 Windows 的应用程序(基本上是 HTTP/1.1 代理服务器)侦听来自各个用户的请求。 目前,它能够发送 407 Basic Challenge,并处理来自标头的响应。 我知道我必须修改质询标头,以便客户端浏览器出于身份验证的目的做出基于 NTLM 的响应。 但我的问题是 - 如何为 407 身份验证质询生成正确的令牌、随机数等,然后如何验证收到的响应是否正确? 最后,如果可能的话,我想记录客户端的用户名和其他 LDAP / ADS 属性。
如果已经有任何讨论类似内容的线程,请友善地将我重定向到正确的帖子。 大多数关于 WWW 的研究只引导我进行客户端编程,很少或几乎没有 - 对于必须在 HTTP 服务器中完成的编码。
在此先感谢你们所有出色的黑客。
My Windows based application written in C++ ( basically an HTTP/1.1 proxy server) listens for requests from various users.
Presently it is able to send a 407 Basic Challenge, and process the response from the Headers.
I know I must modify the challenge headers, so that the client browsers make an NTLM based response for the purpose of authentication. But my question is - how do I generate the correct tokens, nonce, etc. for the 407 Authentication Challenge, and then how do I validate if the received responses are correct? Finally I would like to record the client's username and other LDAP / ADS properties if possible.
Please be kind, and redirect me to the correct posts if there are already any threads that discuss something similar. Most research on the WWW leads me only to the client-side programming, very little or almost none - for the coding that must be done in the HTTP server.
All of you great hacks around here, a BIG thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
简短的回答是,我认为 在 Windows 上使用 SSPI套接字服务器示例
是您最好的起点,它应该演示您需要的基本 SSPI 调用。 它是为普通 TCP 服务器编写的,但质询/响应数据是通过 HTTP 发送的,没有太多额外的复杂性。
[MS-N2HT]:协商和 Nego2 HTTP 身份验证协议< /a>
我赞同审查 mod_auth_sspi 的建议对于 Apache 代码
就我个人而言,我还会尝试将低级调试器附加到 IIS,看看他如何调用 SSPI 函数,但这可能不适合您。
在您对 SSPI 进行了如此深入的了解之后,获取用户名应该是小菜一碟(但请询问您是否需要帮助)。 可以使用这些 API 查询用户的 LDAP/AD 属性。
长答案涉及很少的阅读:
Wikipedia 中的集成 Windows 身份验证
Microsoft Windows 中基于 SPNEGO 的 Kerberos 和 NTLM HTTP 身份验证
通过协商协议进行基于 HTTP 的跨平台身份验证(第 1 部分,共 3 部分)
第 3 部分也有一些有趣的代码示例。
希望这可以帮助!
The short answer is that I think this Using SSPI with a Windows Sockets Server sample
is your best starting place and it should demonstrate the basic SSPI calls you need. It's written for a plain TCP server, but the challenge/response data is sent over HTTP without much extra complexity.
[MS-N2HT]: Negotiate and Nego2 HTTP Authentication Protocol
I second the recommendation of reviewing the mod_auth_sspi for Apache code
Personally, I would also try attaching a low-level debugger to IIS and see how he goes about calling the SSPI functions, but that may not be your cup of tea.
After you've gotten that far with SSPI, obtaining the username should be a piece of cake (but ask if you need help). LDAP/AD properties for the user can be queried with those APIs.
The long answer involves little light reading:
Integrated Windows Authentication in Wikipedia
SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
HTTP-Based Cross-Platform Authentication via the Negotiate Protocol (Part 1 of 3)
Part 3 has some interesting code samples as well.
Hope this helps!
httpauth 中有代码可以帮助您。 它使用 smbval 代码来解析 NTLM 消息 1 和 3。请参阅:http://memberwebs.com/stef /软件/httpauth/
There's code in httpauth which could help you. It uses smbval code to parse NTLM message 1 and 3. See: http://memberwebs.com/stef/software/httpauth/
您可以通过查看
mod_auth_sspi
Apache 模块来找到灵感You may find inspiration by looking at the
mod_auth_sspi
Apache module经过一番努力,我已经走到了这一步:
在我的代理服务器上,我可以向客户端询问基本/NTLM 身份验证。 当用户做出“基本”响应时,我可以使用 SSPI 验证凭据。 本文档有帮助: http://support.microsoft.com/kb/180548
但是我是只是无法完成基于 NTLM 的挑战和响应。 基本上我可以通过 407 代理验证来“刺激”客户端选择基于 NTLM 的身份验证系统,这基本上需要 3 条消息。 第一条消息必须是客户端发送的基于 NTLM 的请求,第二条消息是来自我的服务器的质询,第三条消息来自客户端。 现在的问题是“我如何生成 NTLM 质询,然后破译或验证 NTLM 授权,即消息 3。
非常感谢 Marsh 和其他优秀黑客,为做出响应而付出的所有努力。我只能希望你愿意分享更多一点。
After some struggle I have managed to come this far:
On my Proxy Server I can challenge clients for Basic / NTLM authentication. When the user makes a "Basic" response, I can validate the credentials using SSPI. This documentation helped: http://support.microsoft.com/kb/180548
However I am just not able to get the NTLM based challenge and responses completed. Basically I am able to "tickle" the client to select the NTLM based authentication system by 407 Proxy-authenicate, which basically requires 3 messages. The first message has to be an NTLM based request sent by the client, the second would be a challenge from my server, and the third message would be from the client. Now the problem is "How do I generate the NTLM challenge, and then decipher or valiate the NTLM authorisation i.e. message 3.
And a lot of thanks to Marsh and the other good hacks, for all the efforts, you took to make the response. I can only hope you may be willing to share a bit more.
这是一个 Java 实现,您可能会发现有用
http://www.luigidragone.com/networking/ ntlm.html
,并且确实更有用,尝试记录未记录的 ntlm 方案
http://www.innovation.ch/personal/ronald/ntlm.html
this is a java implementation which you might find useful
http://www.luigidragone.com/networking/ntlm.html
and, more useful indeed, an atempt to document the undocumented ntlm scheme
http://www.innovation.ch/personal/ronald/ntlm.html