3

Is it possible to use GSSAPI for NTLM v1/v2 authentication? I am trying to build a web-server, quite like squid / apache, but I would like to authenticate clients that could be using IE / FireFox, using NTLM / Negotiate protocols. I tried using heimdal libraries but simply can't get gss_accept_sec_context to work. It simply fails with "An unsupported mechanism was requested". I can confirm that the service principal name, OIDs for spnego etc. did happen correctly when the gss_acquire_cred was called before the gss_accept_sec_context was attempted. Yes of course, I extracted the token received from the client by base64 decoding the authorization headers. I am using C++, and experimenting this on debian. I am sure one of the fantastic hacks around here knows more, and hope will share some important clues.

Thanks in Advance.

mdk
  • 6,225
  • 1
  • 25
  • 30
  • Are you sending `WWW-Authenticate: Negotiate` header? Clients will attempt Kerberos authentication, not NTLM. – n. m. could be an AI Jun 20 '11 at 13:11
  • 1
    I think the answer is no - GSSAPI can only do Kerberos. Why do you want to use NTLM instead of Kerberos? – Edward Thomson Jun 20 '11 at 16:52
  • @Edward Thomson GSSAPI *can* do NTLM. G in GSSAPI stands for *generic*. Kerberos and NTLM are two of the several *mechanisms* GSSAPI can work with. – n. m. could be an AI Jun 20 '11 at 18:55
  • 1
    I see what you're saying, so let me clarify. GSSAPI is indeed generic and does have constants for NTLM as one of the mechs. What I meant to say is that I don't think that MIT or Heimdal's implementations actually support NTLM in a reasonable way, although I may be mistaken about this. Further, it seems that they couldn't really do so in a "single sign-on" way (without prompting for credentials) or without otherwise computing and an LM hash, which provides, I feel, a disappointing user experience compared with (for example) Kerberos. (That said, it would be cool to be mistaken about this.) – Edward Thomson Jun 20 '11 at 19:09
  • I guess the problem is sourced in the documentation of libheimntlm. It doesn't quite explicitly state if the library can be used only as in a client application, or also in a server application for user authentication. I want to authenticate users irrespective of their domain membership. Since Kerberos / Negotiate works only for domain members, I was hoping to implement NTLM support using the heimdal NTLM. By using Microsoft/SSPI, I could get things working on Windows. But I love Linux too much to leave it out. Would it be useful if I shared the code here? – mdk Jun 28 '11 at 10:46
  • @Edward Thomson: I hate to say it, but you may be right. So it makes 2 people who would now be only too happy to be proven mistaken. :) – mdk Jun 28 '11 at 10:52

3 Answers3

1

Heimdal's NTLM library also supports client side. you can, using library primitives, generate type1, 2 and 3 messages, and it will work. I don't know, however, can you use GSS-API on the top of Heimdal for this purposes. I assume that test, you can do this too.

user1800613
  • 11
  • 1
1

I'm not sure about the Heimdal library and whether it works with the GSS, but gss ntlm ssp specifically claims to be a gss library. I'd expect you'd need to download and build it, then you would need to set up /etc/gss/mech (or /usr/etc/gss/mech on Debian and Ubuntu) to point at the library. Ther build system will create an example of what you need in the mech file in its examples directory.

You may run into trouble running this under spnego. When Windows has NTLM as the most preferred mechanism with the negotiate package, it sends a raw NTLM token rather than a SPNEGO token as defined in RFC 4178. This code will definitely get you further though; it definitely will get past gss_accept_sec_context indicating an unsupported mechanism.

Sam Hartman
  • 6,210
  • 3
  • 23
  • 40
1

The Heimdal GSSAPI library supports SPNEGO, NTLMv1/v2 and KRB5. They also have the raw NTLM library that you could use to implement the protocol yourself.

https://www.h5l.org/manual/HEAD/gssapi/

Sushant Mathur
  • 11
  • 4