如何使用 NTLM 身份验证测试 HTTP 客户端?

发布于 2024-09-26 17:28:26 字数 179 浏览 8 评论 0 原文

我有一些充当 HTTP 客户端的代码,它支持基本身份验证以及 NTLM 身份验证。我可以通过需要用户名/密码来访问 Apache 服务器上的 .htaccess 中的文件来轻松测试基本身份验证是否有效。但是,如果不安装 IIS,如何测试 NTLM 身份验证呢?是否有任何公共 HTTP 服务器接受 NTLM 身份验证?

I have some code acting as an HTTP client which supports basic authentication as well as NTLM authentication. I can easily test that basic authentication works by requiring a username/password to access a file in the .htaccess on an Apache server. But how can I test NTLM authentication, short of installing IIS? Are there by any chance any public HTTP servers that accept NTLM authentication?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

金兰素衣 2024-10-03 17:28:26

我一直在寻找同样的问题(“如何设置 ntlm 代理虚拟服务器”)并找到了这个。这是我的解决方案,介绍如何在不使用 Microsoft IIS 服务器的情况下为代理服务器设置转发 NTLM 身份验证。相反,我们将使用 Apache httpd.exe

  1. 下载 Apache HTTP 服务器 Apache 2.4.29。
    我使用了 ApacheHaus 的 Windows 32 位 (VC14) 版本二进制文件
  2. 下载匹配模块 Mod Auth NTLM,在我的例子中是 mod_authn_ntml-1.0.8-2.4.x-x86-vc14.zip
  3. 安装服务器和模块,并配置所有内容这样服务器就会启动,当您浏览到本地主机时,您会看到默认网页
  4. 现在再次编辑conf/httpd.conf配置文件,并进行以下更改:

    #确保至少加载模块及其依赖项:
    LoadModule headers_module 模块/mod_headers.so
    LoadModule info_module 模块/mod_info.so
    LoadModule ldap_module 模块/mod_ldap.so
    LoadModule proxy_module 模块/mod_proxy.so
    LoadModule proxy_connect_module 模块/mod_proxy_connect.so
    LoadModule proxy_http_module 模块/mod_proxy_http.so
    LoadModule request_module 模块/mod_request.so
    LoadModule rewrite_module 模块/mod_rewrite.so
    LoadModule socache_shmcb_module 模块/mod_socache_shmcb.so
    LoadModule ssl_module 模块/mod_ssl.so
    LoadModule status_module 模块/mod_status.so
    
    #添加新模块
    LoadModule auth_ntlm_module 模块/mod_authn_ntlm.so
    

启用代理服务器。请注意,您可能会打开一个开放的代理服务器到互联网...

     ProxyVia On
     ProxyRequests On 

    <Proxy "*">
        AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>
    </Proxy>

或者,如果您只想保护一个目录,您可以从 mod_authn_ntml 配置示例中复制代码:

  <Location /testDirectory >
    AuthName "Private location for testing NTLM authentication"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>

    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then

     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} (.+)
     RewriteRule . - [E=RU:%1]
     RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e

  </Location>
  1. 要捕获本地环回流量并调试发生了什么,您需要安装 Wireshark 2.4.4,然后安装特殊的 npcap-0.97.exe 环回捕获驱动程序。这样您就可以嗅探浏览器和本地网络服务器之间的流量

  2. 如果您想对代理服务器使用 NTLM 身份验证,您需要遵循 mod_ntlmn_auth GitHub 页面的建议,并在注册表中设置标志 DisableLoopbackCheck(请参阅 https://support.microsoft.com/en-us/kb/896861 ),否则所有本地身份验证请求都会失败.

  3. 将您的浏览器设置为使用您的本地 IP 地址作为代理服务器。如果一切正常,浏览器将在后台发送您的凭据。

  4. 要查看发生了什么,您现在可以检查 Wireshark 日志,并且 Apache 日志/access.log 还会向您显示用于身份验证的域\用户。

希望这可以帮助人们测试他们的代理脚本,因为我遇到的很多代理软件都无法正确处理 NTLM 代理,这在商业环境中很重要。

I was looking for the same question ("how to set-up a ntlm proxy dummy server") and found this. So here is my solution, on how to set up a forwarding NTLM authentication for a proxy server, without using IIS server from Microsoft. Instead we will use Apache httpd.exe

  1. Download Apache HTTP server Apache 2.4.29.
    I used the windows 32bit (VC14) version binaries from ApacheHaus
  2. Download the matching module Mod Auth NTLM for, in my case mod_authn_ntml-1.0.8-2.4.x-x86-vc14.zip
  3. Install the server, and the module, and configure everything so the server will start up and you see the default webpage when you browse to your localhost
  4. Now edit the conf/httpd.conf configure file again, and make these changes:

    #Make sure to load at least the modules, and their dependencies:
    LoadModule headers_module modules/mod_headers.so
    LoadModule info_module modules/mod_info.so
    LoadModule ldap_module modules/mod_ldap.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule request_module modules/mod_request.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule status_module modules/mod_status.so
    
    #add the new module
    LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
    

Enable the proxy server. Be warned, you may open an open proxy server to the internet...

     ProxyVia On
     ProxyRequests On 

    <Proxy "*">
        AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>
    </Proxy>

Or, if you just want to secure just one directory, you can copy the code from the mod_authn_ntml config example:

  <Location /testDirectory >
    AuthName "Private location for testing NTLM authentication"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>

    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then

     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} (.+)
     RewriteRule . - [E=RU:%1]
     RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e

  </Location>
  1. To capture the local loopback traffic and to debug what's going on, you need to install Wireshark 2.4.4 and then the special npcap-0.97.exe loopback-capture driver. With this you can sniff the traffic between your browser and your local web-server

    1. If you want to use the NTLM authentication for the proxy server, you will need to follow the advice from mod_ntlmn_auth GitHub page and set the flag DisableLoopbackCheck in the registry (see https://support.microsoft.com/en-us/kb/896861 ), otherwise all local authentication requests will silently fail.

    2. Set up your browser to use your local IP address as a proxy server. If everything works, the browser will send your credentials in the background.

    3. To see what's going on, you can now check your Wireshark logs, and the also the Apache logs/access.log shows you the Domain\User that was used for authentication.

Hope that helps someone out there to test their proxy scripts, because a lot of proxy software I encounter can't handle NTLM proxies correctly, which is important in a business environment.

你的笑 2024-10-03 17:28:26

您可能已经意识到,由于 NTLM 是一种专有身份验证协议(没有 Microsoft 提供的任何官方公共文档),因此您必须针对在 Windows 上运行的实际 IIS 服务器进行测试,或者您可以尝试使用从文档中收集的详细信息来模拟身份验证方案,例如:

HTTP 的 NTLM 身份验证方案

您不会找到很多公共 HTTP 服务器(如果有的话) )在互联网上您可以对其进行测试。 NTLM 身份验证通常部署供企业使用,例如针对 Active Directory 进行身份验证,并且通常锁定在公司 VPN 后面。

我会硬着头皮在虚拟机中启动一个 Windows 实例(Microsoft 让您下载大量 Windows 2008 的 120 天试用版等)并对其进行测试。

As you have probably already realised, because NTLM is a proprietary authentication protocol (that doesn't have any official public documentation provided by Microsoft), you're going to have to either test against an actual IIS server running on Windows, or you could try and mock the authentication scheme using details gleaned from documentation such as this:

NTLM Authentication Scheme for HTTP

You won't find many public HTTP servers (if any) on the internet that you'll be able to test against. NTLM authentication is generally deployed for corporate use such as authenticating against Active Directory and are most often locked behind company VPN's.

I'd bite the bullet and fire up an instance of Windows (Microsoft let you download plenty of 120 day trials of Windows 2008 etc) in a Virtual Machine and test against that.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文