2

Currently I'm trying to solve my problem — which is implement NTLM authorization on my intranet site in the way how I think it should work, namely ask password only on certain pages. Not just hitting main page — so site should be divided on two pieces: available for all and restricted.

The issue I'm using Nancy framework and it does not implement NTLM natively. But this will not stop the real cowboy programmer. So I'm trying to develop custom request / response sequence to accomplish this goal.

For now I have discovered this Q&A, but solution there is glued to the IIS...

I have discovered site with a lots of complex information about NTLM and I wondering is there any C# class to simplify this process?

Namely, helping to create responses of different types.

Currently my code looks like this:

Get["/Profile/"] = parameters =>
{
    var request = this.Request;

    if (this.Request.Headers.Keys.Any(x => x == "Authorization"))
    {
        var items = Response.Context.Items;

        var expert = new Expert(WindowsIdentity.GetCurrent());
        var model = expert.Ensure();

        return View["Profile.liquid", model];
    }
    else
    {
        var response = new Response();
        response.StatusCode = HttpStatusCode.Unauthorized;
        response.Headers.Add("WWW-Authenticate", "NTLM");
        return response;
    }
};

But it implements only first stage of NTLM authorization. Is it possible to avoid lots of manual code to implement other steps by involving ready to use helper?

Community
  • 1
  • 1
shytikov
  • 9,155
  • 8
  • 56
  • 103
  • Just in case English is not your first language, you do realise that "cowboy programmer" is a derogatory term? – Ben Robinson Dec 10 '12 at 17:18
  • @Ben, you're right, English is not my first language. But I know the "cowboy programmer" idiom. This is sarcasm caused by desperation. Support if Windows Authorization is poor in IIS, ASP.NET MVC as I see it. And in Nancy it just don't exist at all. And I need to implement it in almost any cost... – shytikov Dec 10 '12 at 17:25
  • You could p/invoke SSPI http://msdn.microsoft.com/en-us/library/windows/desktop/aa380493(v=vs.85).aspx and you *may* be able to validate passwords over NTLM... It may depend on the AD permissions of the user you're running your process as. But why not just run Nancy under IIS and have it handle the authentication? – Edward Thomson Dec 10 '12 at 18:01
  • @EdwardThomson I was trying to make Nancy work with IIS but as far as I understand the best I can get is the following behavior: IIS asks password on first page of the site (while I need to secure only profile area) and it is impossible to logout unless used closes browser (while I'm required to keep this situation more or less flexible). – shytikov Dec 11 '12 at 08:13
  • I would think that there's a configuration setting in IIS even for virtual paths, but I don't know. Regarding the second part, there's no "logging out" of SPNEGO (NTLM/Kerberos), those credentials will always be presented when requested (if the remote server is trusted.) – Edward Thomson Dec 11 '12 at 14:30
  • Where I can view examples? Or How-to for this? Thank you! – amaranth Nov 21 '13 at 10:15

3 Answers3

1

If you really want to write all this yourself I think you're in for a bit of a mammoth task. This URL may help you, it has information on NTLM auth in general, but also shows an example of the conversation for HTTP authentication using NTLM:

http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication

Another possible avenue to explore is to see if there's anything in the Mono code base that you can make use of - that's what we did with the built in JSON serializer.

Another option is to use forms or basic auth, but authenticate the usernames/passwords against AD/LDAP.

Steven Robbins
  • 26,441
  • 7
  • 76
  • 90
  • I know this is might be huge task... That's why I'm asking about C# helper class... It's strange if Microsoft doesn't have it. Regarding basic auth, yeah... this is kind way out. I will try it... Thank you! – shytikov Dec 11 '12 at 08:18
  • By the way not that huge... Currently the only thing is missing to complete rough and dirty implementation — the validation procedure of NT password hash for given user. But I cannot find any information how this could be solved: http://stackoverflow.com/questions/13840679/validate-nt-and-lm-hashes-against-active-directory – shytikov Dec 12 '12 at 14:54
  • 1
    Are you talking about client or server here? I did a lot of NTLMv2 related work in Mono recently, but we only implemented it for the client side. If you're looking at specific server-side examples, I'd recommend looking at the Samba sources. There's also a stand-alone command line challenge/response tool - I used that a lot while testing my new NTLMv2 code in mono. – Martin Baulig Dec 13 '12 at 15:50
  • It's more about server. I've seen NTLMv2 code from Mono and actually I'm using it to understand contents of byte arrays supplied to me by client and to compose Type2Message response to it. The problem is that I've successfully received Type3Message and need to validate it using C#... Currently I'm digging in this direction: http://pinvoke.net/default.aspx/secur32/InitializeSecurityContext.html But there are no significant results for now. – shytikov Dec 14 '12 at 11:24
1

I have developed, merging several sources, a working implementation of the whole protocol: "NTLM"->"NTLM with client data"->"NTLM challenge"->"NTLM challenge from client" and everything works well and without the need for external liberaries. Only little problem is all C++ (hate playing with buffers in C# :P ), it's a 140kb C++ source. Everything can be found here: https://kendar.org/?p=/dotnet/kendarntlmlib

--HERE START BAD NEWS...--

as far as i understood on IIS this kind of things can work only as an ISAPI filter. Being NTLM a -connection based- protocol I were not able to do the request-response-request in the same http request while in an MVC controller, aspx page or ashx handler. And IIS does not expose any socket handle that can be used to "override" the standard connection-less approach of http but in the ISAPI part... (it's HTTP after all, but it's cutting my wings :P )

I hoped to use it like the basic authentication attribute i've seen used on Bonobo github clone... but no luck..

--HERE FINISH BAD NEWS--

Plus i had some problem loading a native DLL into a C#-ANyCPU compiled project, but this is easy :P (http://blogs.msdn.com/b/jorman/archive/2007/08/31/loading-c-assemblies-in-asp-net.aspx just for reference)

Kendar
  • 692
  • 7
  • 25
0

I need an example of using https://github.com/toolchain/Nancy.Authentication.Ntlm with users restrictions on some Nancy views. Thank you!

amaranth
  • 979
  • 2
  • 22
  • 40
  • 2
    Are you asking a question or posting an answer? This seems like you are asking a question, if so then you should post a new question. – Taryn Dec 03 '13 at 11:12