17

I want to build a server using Node.js, which acts as some kind of proxy. The clients that connect to my server use NTLMv2 for authentication (there is no chance to change this), but the upstream server my server shall connect to requires a Kerberos token.

So, my question is pretty simple: How do I, using Node.js, transform the information provided by NTLMv2 into a Kerberos token? On npm, so far I have found modules for NTLMv2 authentication, but I somehow would probably need to talk to Windows to translate NTLMv2 data of a user into a token for this user.

Any hints on this, how to approach this problem?

Golo Roden
  • 140,679
  • 96
  • 298
  • 425
  • Not really sure how this is possible as I'm not familiar with ntlmv2/kerberos. But do you really need to pass/transform the client's authentication information to kerberos for each proxied request? Maybe your node-server could just authenticate as a client to the kerberos-server upon startup and reuse the connection? – eol Jul 08 '19 at 14:59
  • The Node.js server is running as a Windows service and may serve multiple users, so unfortunately this is not an option. – Golo Roden Jul 08 '19 at 15:02

2 Answers2

2

Absolutely not! NTLM and Kerberos operate completely different. First of all, I would highly recommend get rid off NTLM as fast as you can.

You can solve your problem in an easy fashion if you can access C interfaces. I also assume you MIT Kerberos on a Unix-like OS like CentOS or FreeBSD, etc.

NTLM will provide you the downlevel logon name. You need first to convert the NetBIOS domain to a DNS domain via LDAP (use libopenldap) then you can construct the Kerberos principal or the enterprise principal for your client. Then create a service account in your KDC and enable protocol transition and contrained delegation on that account for the target service. Now request a TGT on behalf of that user principal and request a service ticket for the user, voila you can access your Kerberos backend. Here is a decent read: https://k5wiki.kerberos.org/wiki/Projects/Services4User

If you run HTTPd as your reverse proxy, it might handle all the magic for your with mod_auth_gssapi.

On Windows, this is a bit of a pain with the security API and SSPI. While the the principal transformation comes for free with Windows. You'll need LsaLogonUser with KERB_S4U_LOGON, impersonate with that handle and then require SSPI to acquire a cred handle...

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Thanks for your answer. Some parts are described very briefly, can you maybe extend your answer with a few more details, so that it becomes easier to understand for someone to whom most of these terms are new? IOW: Could you maybe add some more information, on why one needs to do this and that, and a few more details on how to do them? – Golo Roden Jul 15 '19 at 08:06
  • Which exactly...? – Michael-O Jul 15 '19 at 20:30
  • Basically, all of them – Golo Roden Jul 16 '19 at 04:23
  • This will take a while. I'd recommend to do some research. You will require to write native code to map that into JS space. – Michael-O Jul 16 '19 at 14:57
  • 1
    in addition to @Michael-O ' answer here is a nice flowchart which shows why ntlm can't be converted to kerberos https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w => Kerberos. In Short. The kerberos server gives the ticket to the client which sends the ticket to the server for authentication. – Aleksandar Jul 17 '19 at 19:02
2

If your KDC allows constrained delegation, you can setup your intermedaite server to allow impersonation. This way it can established security context with the client in one mechanism (in your case, NTLM), and talk to the backend server on behalf of the client in another mechanism (Kerberos). Google for "constrained delegation" and "protocol transition" for more information. Hope this helps.

speedogoo
  • 2,828
  • 2
  • 17
  • 19