Windows authentication - Kerberos or NTLM (Negotiate oYICO...)

Question

I have problems with a single user in an intranet application. The client side is a WPF application which communicates with a ASP.Net Web API Web Service.

The client sends HTTPS GET and POST requests using

HttpClientHandler handler = new HttpClientHandler()
{
  AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip,
  UseDefaultCredentials = true,
  PreAuthenticate = true
};

On IIS Windows authentication is enabled with NTLM and Negotiate providers.

The system works for all users except one that gets 401.1 but only from POST requests.

I'm currenty trying to figure out what's different with this user. The only thing I noticed is a different kind of authorization header.

From here (and many other resources) I read:

If the header starts with a "T" (example: HTTP: Authorization = Negotiate TlRMTVNTU...) then you're using NTLM. If it starts with a "Y" (example: Authorization: Negotiate YIILjgYGKwYB...) then you're successfully using Kerberos.

I can see headers for working requests that seems to use Kerberos:

Authorization: Negotiate YIIT4QYGKwYBBQUCoIIT1TCC...

The header which is sent from the user which fails to POST looks like

Authorization: Negotiate oYICOTCCAjWgAwoBAaKCAhg...

It starts with o. So is this NTLM or Kerberos? The authentication fails for POST request, but succeeds on GET!

possible duplicate of [How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header](http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header) — IT Hit WebDAV, Aug 21 '14 at 18:24
if it start with YHU, it is a NTLM. It has to start with YII at least to be Kerberos. — jlguenego, Nov 17 '20 at 14:11

FlyingSheep · Answer 1 · 2018-08-03T12:58:47.757

Given the presence of "Negotiate " both requests seem to be attempts to use the Spnego Negotiation Mechanism. While Spnego is often used in conjunction with Kerberos, the two should not be confused.

Authorization: Negotiate oY....

...is a Spnego NegTokenResp (NegTokenTarg in Microsoft documents).

This may contain a Kerberos Token, NTLM, or any other negotiatable sub-mechanism supported by the Spnego Protocol (or by the specific Spnego implementation used). So this may be Kerberos, NTLM, or something else again.

"oY" decodes to HexByte "a1", as do "oQ" to "oZ", so any of these could indicate a NegTokenResp.

Authorization: Negotiate YI....

...is a Kerberos token (which may have a Kerberos or a Spnego OID).

It can either be sent "direct", or wrapped in a Spnego Token (e.g. the NegTokenResp above).

Michael-O · Answer 2 · 2014-06-30T07:29:57.880

0

Why don't you use Wireshark for that?

Wireshark will inspect all traffic. I will break down the ticket from ASN.1 to a displayable tree structure. You'll see what mechanism is used in your case. Additionally, you'll see all the Kerberos traffic, e.g., your TGS-REQ.

edited Jun 30 '14 at 07:29

answered Jun 29 '14 at 20:16

Michael-O

18,123
6
55
121

1

Thank you for your answer (even though it is more a comment than a real answer). I don't use Wireshark because I didn't know it :) Maybe you can give a little more details how to solve the problem using Wireshark and make your post a real answer. – hansmaad Jun 30 '14 at 06:14

Windows authentication - Kerberos or NTLM (Negotiate oYICO...)

2 Answers2

Linked