6

Is there a way to determine if a browser supports NTLM without having NTLM enabled for the particular site or directory in IIS and without showing a login dialog/pop-up? Preferably, determine this using ColdFusion or perhaps some combination of JS and CF. I'd prefer not to restrict this to just IE as other browsers (such as FF) support NTLM authentication.

illvm
  • 1,336
  • 13
  • 28

3 Answers3

4

If you request a page and the page returns 401 and says it only accepts NTLM, and then the browser sends another HTTP packet trying to respond to it, then it supports NTLM. You don't have to make IIS do this -- you could have any page where you can set the response codes and headers request NTLM. If you don't get another request, it means that the client couldn't authenticate this way.

You could detect this on the client by putting this request in an IFrame, then in the outer page checking to see what happened in the iframe.

Lou Franco
  • 87,846
  • 14
  • 132
  • 192
  • I tried doing this, but unfortunately the browser still asks for credentials. Which kind of ruins the transparency of the whole thing. Basically, I don't want any logins other than transparent NTLM authentication. Is there anyway to suppress this default behavior? I tried Steve's suggestion, too, but it seems using that technique has the CF server sending the data and it is no longer passing in the data from the client. This results in a constant 401 response. – illvm Jun 22 '09 at 22:01
  • Did you see what happens if you try to make an XMLHTTPRequest? – Lou Franco Jun 23 '09 at 13:48
  • I would also try to see what happens with other ways of forcing an HTTP request to be made (img, script, link, etc tags). Maybe there's one that the browser will silently fail (and not pop-up). – Lou Franco Jun 23 '09 at 14:30
  • XMLHTTPRequest would work for Firefox, but not IE. In Firefox you can make XHTTPRs run int he background and suppress the pop-ups, but as far as I am aware there is no way of doing it in IE, or any other browser. I tried using img, script, and link tags including dynamically building them at run time. No luck so far. – illvm Jun 23 '09 at 19:00
  • Might need a combination of browser detection and these techniques -- good luck. – Lou Franco Jun 23 '09 at 19:39
  • I don't understand how will above techquie would help detecting does the browser support NTLM, please explain it little bit more? Please correct if I am wrong. The browser will `prompt login dialog`/`make another http packet` once its received the 401 respond with NTLM header. If I use java script/XMLHTTPRequest or whatever to make a request and get a 401 response with NTML header, because the request is made by my client code, the handling response will not be handle by the browser but my client code as well, so the browser it won't fire another HTTP packet and try responds it. – King Chan Apr 18 '13 at 20:56
2

Building on Lou's answer, you could make a cfhttp request within a try/catch block. You then check the response headers to determine your next steps.

Steve -Cutter- Blades
  • 5,057
  • 2
  • 26
  • 40
0

Unfortunately, you may be forced to use browser sniffing and a white-list.

Adam Tuttle
  • 19,505
  • 17
  • 80
  • 113
  • This doesn't work unfortunately because there is no way of telling whether the browser is configured to use the particular page as a trusted source for NTLM authentication. – illvm Jun 23 '09 at 18:59