6

I gone through some websites for better understanding of ntlm like http://www.innovation.ch/personal/ronald/ntlm.html. And I started to create a demo which authenticate users in nodejs application using ntlm. In this demo I created application with expressjs and express-ntlm modules. But still I didn't understood that, how ntlm works with nodejs webservices?

I am having some questions in my mind about ntlm authentication.

  • How ntlm works for webservice?
  • How can I customize login page while using ntlm? currently I am getting input box for login credentials.
  • Which users can I use to authenticate? currently the application accepting anything as username and password. So I am not clear that which username and password it will use.

Here is my code.

var app, express, ntlm;

express = require('express');

ntlm = require('express-ntlm');

app = express();

app.all('/', ntlm());

app.get('/', function(request, response) {
  response.send(request.ntlm);
});

app.listen(3000);
Laxmikant Dange
  • 7,606
  • 6
  • 40
  • 65
  • 1
    [express-ntlm](https://www.npmjs.com/package/express-ntlm) is now updated and proxies its request to an Active Directory. So it's not possible to use anything as a username and password. – Fabio Poloni Jan 07 '15 at 07:24

3 Answers3

5

There is a Passport.js authentication strategy that supports NTLM authentication and has a method for allowing a custom login screen. How to configure it will depend on which type of server you're using, but they do a good job of explaining the concepts within their examples.

Look at the section Non-Integrated authentication

https://www.npmjs.org/package/passport-windowsauth

Brian Shamblen
  • 4,653
  • 1
  • 23
  • 37
  • Thanks, this helps me to develop application, but still question arises that how NTLM works for webservices? – Laxmikant Dange Nov 25 '14 at 13:36
  • Just to be clear, when you ask "how NTLM works for a web service", do you mean "how can a RESTful API call be authenticated using NTLM"? – Brian Shamblen Nov 25 '14 at 15:31
  • yes, I know how ntlm works, but for webservices authentication, what is the process or flow of authentication, and what is different in ntlm authentication rather than normal authentication? – Laxmikant Dange Nov 26 '14 at 06:54
2

I think you are looking for this answer. Read the answer by josh3736, he explains the flow in NTLM.

Also as suggested by Brian Shamblen, you dont really need to get into all this stuff, passport.js can efficiently handle all this for you. here is a tutorial http://passportjs.org/guide/

Community
  • 1
  • 1
Naeem Shaikh
  • 15,331
  • 6
  • 50
  • 88
0

NTLM PROCESS FOR GET REQUESTS:

 STEP 1: The Client requests a protected resource from the server
 STEP 2: The Server responds with a 401 status, with a header indicating that the client must authenticate
 STEP 3: The Client resubmits the request with an Authorization header containing a Base-64 encoded Type 1 message.  From this point forward, the connection is kept open; closing the connection requires reauthentication of subsequent requests.
 STEP 4: The Server replies with a 401 status containing a Base-64 encoded Type 2 message in the WWW-Authenticate header
 STEP 5: The Client responds to the Type 2 message by resubmitting the request with an Authorization header containing a Base-64 encoded Type 3 message
 STEP 6: Finally, the Server validates the responses in the client's Type 3 message and allows access to the resource.

NTLM PROCESS FOR POST REQUESTS:

 STEP 1: The Client submit an empty POST request with a Type 1 message in the "Authorization" header
 STEP 2: The Server replies with a 401 status containing a Base-64 encoded Type 2 message in the WWW-Authenticate header
 STEP 3: The Client resubmits the POST with a Base-64 encoded Type 3 message Type 3 message, sending the data payload with the request.
KARTHIKEYAN.A
  • 18,210
  • 6
  • 124
  • 133