没有 .NET 的 Windows 身份验证标头。可能的？

发布于 2024-10-21 15:36:51 字数 171 浏览 10 评论 0原文

我想知道是否有人知道一种无需托管在 ASP 站点上即可使用 Windows 身份验证的方法。这是一个可以访问 LDAP 的 Intranet，所以我想知道是否有办法强制客户端向我提供数据，就像数据来自 ASP 站点一样。我只需要登录域和用户名，我就可以从那里运行。在 Ubuntu 上使用 Node.js。有人有这方面的经验吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

不美如何 2024-10-28 15:36:55

您可以在 Apache 中使用 NTLM 模块，也可以在 IIS 下设置一个脚本来捕获登录信息并将其 POST 到您的 node.js 站点。

回复收藏 0 原文

国产ˉ祖宗 2024-10-28 15:36:55

如果您使用的是 Ubuntu，请执行

sudo apt-get ntlmaps 或下载“ntlmaps-xx-xx.deb”

并配置您的代理，该代理会询问您的域名、用户名和密码。

然后运行 ntlmaps 作为您的代理。 Ntlmaps 将使用您的用户名和密码进行身份验证。您编写的任何程序 ntlmaps 都会使用您给定的配置详细信息自动验证您的程序。然而，安装 ntlmaps 后还需要配置一些东西。首先让我知道这是否是您正在寻找的东西？

回复收藏 0 原文

凉墨 2024-10-28 15:36:54

更新：现在有实现 Windows 集成身份验证的模块。

在 401 响应中，您需要提供值为 NTLM 的 WWW-Authenticate 标头，该标头通知浏览器需要发送 Windows证书。

response.writeHead(401, {
    'WWW-Authenticate': 'NTLM',
});

然后您就可以享受实施 NTLM 身份验证的乐趣了。引用这篇关于NTLM身份验证协议的文档：

客户端请求受保护的资源来自服务器：
```
GET /index.html HTTP/1.1
```
服务器响应 401 状态，表明客户端必须进行身份验证。 NTLM 通过 WWW-Authenticate 标头呈现为受支持的身份验证机制。通常，服务器此时关闭连接：
```
HTTP/1.1 401 未经授权
WWW 验证：NTLM
连接：关闭
```
请注意，如果 NTLM 是第一个提供的机制，Internet Explorer 将仅选择它；这与 RFC 2616 不一致，RFC 2616 规定客户端必须选择支持的最强身份验证方案。
客户端使用包含类型 1 的 Authorization 标头重新提交请求消息参数。类型 1 消息采用 Base-64 编码进行传输。从此时起，连接将保持打开状态；关闭连接需要重新验证后续请求。这意味着服务器和客户端必须通过 HTTP 1.0 样式的“Keep-Alive”标头或 HTTP 1.1（默认情况下使用持久连接）支持持久连接。相关请求头如下所示：
```
GET /index.html HTTP/1.1
授权： NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1JLU1RBVElPTkRPTUFJTg==
```

服务器回复 401 状态，其中包含 WWW-Authenticate 标头中的“noreferrer">类型 2 消息（同样采用 Base-64 编码）。如下所示。

HTTP/1.1 401 未经授权
WWW 身份验证：NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAASNFZ4mrze8AAAAAAAAAAGIAYgA8AAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTAEUAUgBWAEUAUgAEABQAZABvAG0AYQBpAG4ALgBjAG8AbQADACIAcwBlAHIAdgBlAHIALgBkAG8Ab QBhAGkAbgAuAGMAbwBtAAAAAAA=

客户端通过重新提交带有包含 Base-64 编码类型 3 消息：

GET /index.html HTTP/1.1
授权： NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABAAAAACAAIAEwAAAAWABYAVAAAAAAAAACaAAAAAAQIAAEQATwBNAEEASQBOAHUAcwBlAHIAVwBPAFIASwBTAFQAQQBUAEkATwBOAMM3zVy9RPyXgqZnr21CfG3mfCDC0+d8ViWpjBwx6BhHR mspst9GgPOZWPuMITqcxg==

最后，服务器验证客户端 Type 3 消息中的响应并允许访问资源。
<预><代码> HTTP/1.1 200 确定

获取用户的用户名应该很容易——它在 Type 3 消息中以纯文本形式发送。实际上验证他们是否提供了正确的密码完全是另一回事。实现所有这些都作为读者的练习。

Update: There's now a module that implements Windows-integrated authentication.

In your 401 response, you need to provide a WWW-Authenticate header with a value of NTLM, which informs browsers that they need to send Windows credentials.

response.writeHead(401, {
    'WWW-Authenticate': 'NTLM',
});

You then have the fun of implementing NTLM authentication. Quoting from this document about the NTLM authentication protocol:

The client requests a protected resource from the server:
```
GET /index.html HTTP/1.1
```
The server responds with a 401 status, indicating that the client must authenticate. NTLM is presented as a supported authentication mechanism via the WWW-Authenticate header. Typically, the server closes the connection at this time:
```
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
Connection: close
```
Note that Internet Explorer will only select NTLM if it is the first mechanism offered; this is at odds with RFC 2616, which states that the client must select the strongest supported authentication scheme.
The client resubmits the request with an Authorization header containing a Type 1 message parameter. The Type 1 message is Base-64 encoded for transmission. From this point forward, the connection is kept open; closing the connection requires reauthentication of subsequent requests. This implies that the server and client must support persistent connections, via either the HTTP 1.0-style "Keep-Alive" header or HTTP 1.1 (in which persistent connections are employed by default). The relevant request headers appear as follows:
```
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1JLU1RBVElPTkRPTUFJTg==
```

The server replies with a 401 status containing a Type 2 message in the WWW-Authenticate header (again, Base-64 encoded). This is shown below.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAASNFZ4mrze8AAAAAAAAAAGIAYgA8AAAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTAEUAUgBWAEUAUgAEABQAZABvAG0AYQBpAG4ALgBjAG8AbQADACIAcwBlAHIAdgBlAHIALgBkAG8AbQBhAGkAbgAuAGMAbwBtAAAAAAA=

The client responds to the Type 2 message by resubmitting the request with an Authorization header containing a Base-64 encoded Type 3 message:

GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABAAAAACAAIAEwAAAAWABYAVAAAAAAAAACaAAAAAQIAAEQATwBNAEEASQBOAHUAcwBlAHIAVwBPAFIASwBTAFQAQQBUAEkATwBOAMM3zVy9RPyXgqZnr21CfG3mfCDC0+d8ViWpjBwx6BhHRmspst9GgPOZWPuMITqcxg==

Finally, the server validates the responses in the client's Type 3 message and allows access to the resource.
```
 HTTP/1.1 200 OK
```

It should be easy enough to get the user's username – it's sent as plain text in the Type 3 message. Actually validating that they've supplied the correct password is another matter entirely. Implementing all of this is left as an exercise for the reader.

回复收藏 0 原文

南街女流氓 2024-10-28 15:36:54

尝试 Apache mod_ntlm 或 mod_auth_ntlm_winbind。

在Ubuntu中：

[email protected]:~# apt-cache search ntlm apache
libapache2-authenntlm-perl - Perform Microsoft NTLM and Basic User Authentication

[email protected]:~# apt-cache show libapache2-authenntlm-perl
Package: libapache2-authenntlm-perl
Priority: optional
Section: universe/perl
Installed-Size: 192
Maintainer: Ubuntu MOTU Developers <[email protected]>
Original-Maintainer: Debian Perl Group <[email protected]>
Architecture: amd64
Version: 0.02-5
Depends: libapache2-mod-perl2, libc6 (>= 2.4), perl (>= 5.10.0-9), perlapi-5.10.0
Conflicts: libauthen-smb-perl (<= 0.96)
Filename: pool/universe/liba/libapache2-authenntlm-perl/libapache2-authenntlm-perl_0.02-5_amd64.deb
Size: 51418
MD5sum: 46f74ac156f7006d8d71ddbf00097e46
SHA1: 133aebf896156929d364950c2772c3e1344b9c9b
SHA256: 0688b38ab145f888a4d111aad12cb7f201dcd6e12ed969af697d3fec4a55c428
Description: Perform Microsoft NTLM and Basic User Authentication
 The purpose of this module is to perform a user authentication via Microsoft's
 NTLM protocol. This protocol is supported by all versions of the Internet
 Explorer and is mainly useful for intranets. Depending on your preferences
 setting IE will supply your windows logon credentials to the web server
 when the server asks for NTLM authentication. This saves the user to type in
 his/her password again.
 .
 The NTLM protocol performs a challenge/response to exchange a random number
 (nonce) and get back a md4 hash, which is built from the user's password
 and the nonce. This makes sure that no password goes over the wire in plain
 text.
 .
 The main advantage of the Perl implementation is, that it can be easily
 extended to verify the user/password against other sources than a windows
 domain controller.
 .
 The default implementation is to go to the domain controller for the given
 domain and verify the user. If you want to verify the user against another
 source, you can inherit from Apache2::AuthenNTLM and override it's methods.
Homepage: http://search.cpan.org/dist/Apache2-AuthenNTLM
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

Try Apache mod_ntlm or mod_auth_ntlm_winbind.

In Ubuntu:

[email protected]:~# apt-cache search ntlm apache
libapache2-authenntlm-perl - Perform Microsoft NTLM and Basic User Authentication

[email protected]:~# apt-cache show libapache2-authenntlm-perl
Package: libapache2-authenntlm-perl
Priority: optional
Section: universe/perl
Installed-Size: 192
Maintainer: Ubuntu MOTU Developers <[email protected]>
Original-Maintainer: Debian Perl Group <[email protected]>
Architecture: amd64
Version: 0.02-5
Depends: libapache2-mod-perl2, libc6 (>= 2.4), perl (>= 5.10.0-9), perlapi-5.10.0
Conflicts: libauthen-smb-perl (<= 0.96)
Filename: pool/universe/liba/libapache2-authenntlm-perl/libapache2-authenntlm-perl_0.02-5_amd64.deb
Size: 51418
MD5sum: 46f74ac156f7006d8d71ddbf00097e46
SHA1: 133aebf896156929d364950c2772c3e1344b9c9b
SHA256: 0688b38ab145f888a4d111aad12cb7f201dcd6e12ed969af697d3fec4a55c428
Description: Perform Microsoft NTLM and Basic User Authentication
 The purpose of this module is to perform a user authentication via Microsoft's
 NTLM protocol. This protocol is supported by all versions of the Internet
 Explorer and is mainly useful for intranets. Depending on your preferences
 setting IE will supply your windows logon credentials to the web server
 when the server asks for NTLM authentication. This saves the user to type in
 his/her password again.
 .
 The NTLM protocol performs a challenge/response to exchange a random number
 (nonce) and get back a md4 hash, which is built from the user's password
 and the nonce. This makes sure that no password goes over the wire in plain
 text.
 .
 The main advantage of the Perl implementation is, that it can be easily
 extended to verify the user/password against other sources than a windows
 domain controller.
 .
 The default implementation is to go to the domain controller for the given
 domain and verify the user. If you want to verify the user against another
 source, you can inherit from Apache2::AuthenNTLM and override it's methods.
Homepage: http://search.cpan.org/dist/Apache2-AuthenNTLM
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu

回复收藏 0 原文

~没有更多了~