How to check NTLM type3 message? (node.js)

Question

I want to write a http server with node.js that supports NTLMv2 authentication.

Evertything works fine with the handshak (type1, type2, type3 messages) and I get my type3-message from the client (Chrome Browser). In this message that is being sent to the server there is a ntlmv2 response that I can read within my node.js server. How I can authenticate if this reponse is valid?

According to [1] I have understood the type3 message and I was able to create my own node.js-routine to generate these hashes. So when I have the password I can create a hash that is equal to the one I get from the browser. But how can I authenticate this hash/response without knowing the password? How can I authenticate this against a DomainController/ActiveDirectory in my network?

If you have look at [2], there is a picture that describes my question perfectly. How can I execute the steps "4" and "5" of this picture?

Thanks, Laryllan

[1] http://davenport.sourceforge.net/ntlm.html#theType3Message

[2] http://msdn.microsoft.com/en-us/library/cc239685.aspx

Answer 1

A quick web search affirms that everyone seems to get stuck at about the same point.

The best response to this topic I've seen so far is here: Windows Authentication Headers without .NET. Possible?

Answer 2

To valid NTLMv2 credentials you would need to perform SecureChannel encrypted RPCs with the NETLOGON service of an Active Directory domain controller. Which is to say, this is a difficult thing to do. If your server supports Java Servlet Filters there's Jespa.

Otherwise, there are modules that can do the auth at the webserver level like an Apache module or by turning on IWA in IIS. But of course these type of solutions are somewhat limited in a number of ways.