5

I was wondering if anyone knew of a way to use Windows Authentication without hosting on an ASP site. It's an intranet w/ access to LDAP, so I'm wondering if there's a way to force the client to provide me the data as if it was coming from an ASP site. I just need the login domain and username and I can run from there. Using Node.js on Ubuntu. Anyone have any experience with this?

A Wizard Did It
  • 3,614
  • 4
  • 28
  • 32
  • 1
    I think it's IIS, not .NET, that provides this under Windows. And most sane browser configurations prohibit sending OS credentials automatically. Isn't letting the user's browser save the login information (in their profile-specific encrypted password cache) good enough? But setting the appropriate HTTP headers should cause the client to send the information. You may not have any way to use the result to impersonate the user, but you should have the identity. – Ben Voigt Mar 14 '11 at 20:16
  • Windows today means Kerberos, and needn't expose the password to the server. It should certainly be possible to set this up with Apache, but I don't know how, hence not giving an answer. – Ben Mar 14 '11 at 20:19
  • Yeah I don't need the password, just their login essentially, and once I have that I plan on hitting LDAP to get first/last name, location etc and display content accordingly. I'd prefer to use Node.js so I'm hoping there's a way to find the headers I need to send. – A Wizard Did It Mar 14 '11 at 20:26

4 Answers4

10

Update: There's now a module that implements Windows-integrated authentication.

In your 401 response, you need to provide a WWW-Authenticate header with a value of NTLM, which informs browsers that they need to send Windows credentials.

response.writeHead(401, {
    'WWW-Authenticate': 'NTLM',
});

You then have the fun of implementing NTLM authentication. Quoting from this document about the NTLM authentication protocol:

  1. The client requests a protected resource from the server:

    GET /index.html HTTP/1.1

  2. The server responds with a 401 status, indicating that the client must authenticate. NTLM is presented as a supported authentication mechanism via the WWW-Authenticate header. Typically, the server closes the connection at this time:

    HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
Connection: close

    Note that Internet Explorer will only select NTLM if it is the first mechanism offered; this is at odds with RFC 2616, which states that the client must select the strongest supported authentication scheme.

  3. The client resubmits the request with an Authorization header containing a Type 1 message parameter. The Type 1 message is Base-64 encoded for transmission. From this point forward, the connection is kept open; closing the connection requires reauthentication of subsequent requests. This implies that the server and client must support persistent connections, via either the HTTP 1.0-style "Keep-Alive" header or HTTP 1.1 (in which persistent connections are employed by default). The relevant request headers appear as follows:

    GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1JLU1RBVElPTkRPTUFJTg==

  4. The server replies with a 401 status containing a Type 2 message in the WWW-Authenticate header (again, Base-64 encoded). This is shown below.

    HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAASNFZ4mrze8AAAAAAAAAAGIAYgA8AAAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTAEUAUgBWAEUAUgAEABQAZABvAG0AYQBpAG4ALgBjAG8AbQADACIAcwBlAHIAdgBlAHIALgBkAG8AbQBhAGkAbgAuAGMAbwBtAAAAAAA=

  5. The client responds to the Type 2 message by resubmitting the request with an Authorization header containing a Base-64 encoded Type 3 message: 

    GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABAAAAACAAIAEwAAAAWABYAVAAAAAAAAACaAAAAAQIAAEQATwBNAEEASQBOAHUAcwBlAHIAVwBPAFIASwBTAFQAQQBUAEkATwBOAMM3zVy9RPyXgqZnr21CfG3mfCDC0+d8ViWpjBwx6BhHRmspst9GgPOZWPuMITqcxg==

  6. Finally, the server validates the responses in the client's Type 3 message and allows access to the resource.

     HTTP/1.1 200 OK

It should be easy enough to get the user's username – it's sent as plain text in the Type 3 message. Actually validating that they've supplied the correct password is another matter entirely. Implementing all of this is left as an exercise for the reader.

josh3736
  • 139,160
  • 33
  • 216
  • 263
  • I do get WWW-Authenticate: NTLM back, but how do I create Type 1 message to resubmit the request? – Mark Aug 23 '19 at 19:13
  • @Mark: This answer discusses NTLM from the HTTP *server* perspective. For the client perspective, see [this answer](https://stackoverflow.com/a/13960538/201952). – josh3736 Aug 23 '19 at 23:18
  • In the provided link you are describing similar negotiation between a client and IIS. is that what an Angular client (via proxy server) has to implement? – Mark Aug 24 '19 at 08:32
  • @Mark: Browsers implement NTLM auth for you -- you shouldn't have to do anything special in your web app code (unless you're making cross-origin requests, in which case you need to set XHR's [`withCredentials`](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials) / fetch's [`credentials`](https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials) and have the proper CORS headers in the response). – josh3736 Aug 26 '19 at 04:37
0

Try Apache mod_ntlm or mod_auth_ntlm_winbind.

In Ubuntu:

root@eruditorum.org:~# apt-cache search ntlm apache
libapache2-authenntlm-perl - Perform Microsoft NTLM and Basic User Authentication

root@eruditorum.org:~# apt-cache show libapache2-authenntlm-perl
Package: libapache2-authenntlm-perl
Priority: optional
Section: universe/perl
Installed-Size: 192
Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Architecture: amd64
Version: 0.02-5
Depends: libapache2-mod-perl2, libc6 (>= 2.4), perl (>= 5.10.0-9), perlapi-5.10.0
Conflicts: libauthen-smb-perl (<= 0.96)
Filename: pool/universe/liba/libapache2-authenntlm-perl/libapache2-authenntlm-perl_0.02-5_amd64.deb
Size: 51418
MD5sum: 46f74ac156f7006d8d71ddbf00097e46
SHA1: 133aebf896156929d364950c2772c3e1344b9c9b
SHA256: 0688b38ab145f888a4d111aad12cb7f201dcd6e12ed969af697d3fec4a55c428
Description: Perform Microsoft NTLM and Basic User Authentication
 The purpose of this module is to perform a user authentication via Microsoft's
 NTLM protocol. This protocol is supported by all versions of the Internet
 Explorer and is mainly useful for intranets. Depending on your preferences
 setting IE will supply your windows logon credentials to the web server
 when the server asks for NTLM authentication. This saves the user to type in
 his/her password again.
 .
 The NTLM protocol performs a challenge/response to exchange a random number
 (nonce) and get back a md4 hash, which is built from the user's password
 and the nonce. This makes sure that no password goes over the wire in plain
 text.
 .
 The main advantage of the Perl implementation is, that it can be easily
 extended to verify the user/password against other sources than a windows
 domain controller.
 .
 The default implementation is to go to the domain controller for the given
 domain and verify the user. If you want to verify the user against another
 source, you can inherit from Apache2::AuthenNTLM and override it's methods.
Homepage: http://search.cpan.org/dist/Apache2-AuthenNTLM
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Paulo Scardine
  • 73,447
  • 11
  • 124
  • 153
0

You can use an NTLM module in Apache, or you can setup a script under IIS to capture the login information and POST it over to your node.js site.

Brian Lyttle
  • 14,558
  • 15
  • 68
  • 104
0

If you are using Ubuntu, do a

sudo apt-get ntlmaps or download 'ntlmaps-xx-xx.deb'

and configure your proxy which would ask you for your domain, username and password.

Then run ntlmaps as your proxy. Ntlmaps will authenticate using your username and password. You write any program ntlmaps will authenticate your program automatically using your given configuration details. However there are few things you need to configure as well after installing ntlmaps. First let me know if is this something you are looking for?

J Bourne
  • 1,409
  • 2
  • 14
  • 33