0

I have a basic "Web Server Application" created by going to File > New > Web Server Application and choosing ISAPI Dynamic Link Library, which I am using to test Windows Authentication when running within IIS.

I have code that reads in the TWebRequest.Authorization property and decodes the string that is sent from IIS (which is usually Negotiate xxxxxxxxxxxx...) This all works when running the site without SSL. I can extract the username, password, domain and workstation name from the Type3 Message as per http://davenport.sourceforge.net/ntlm.html#type3MessageExample.

When SSL is enabled, it seems the string is somehow further encrypted and I get a mess of data from my code which as stated works when SSL is not enabled.

Could anyone tell me what I could be missing? I have not posted any code (but can) as I suspect this is not specific to my code but something to do with SSL that I am not aware of. And searching for answers to this has been somewhat uneventful as I am unaware of the correct terminology to use to get the to correct answers.

I am not so much looking for a "here is the answer" but a pointer in the correct direction would be most appriciated.

When not using SSL, the Negotiate value is: 'Negotiate TlRMTVNT.... When using SSL, the Negotiate value is: 'Negotiate oXcwdaADCgEBo......

Note on the Non-SSL version the string begins TlRMTVNT, this is what I would expect as that is the NTMLSSP signature Base64Encoded.

Stuart
  • 267
  • 1
  • 5
  • 15
  • What do you mean by "SSL is Enabled"? Did you make any change regarding SSL in your Web Service Application? Are you using Indy components? Which component you have used for Implementing your Web Service? – Mahmoud_Mehri Dec 14 '21 at 12:28
  • By way of SSL is enabled, I mean I begin to access the site via HTTPS (handled by IIS). I am not using Indy components, just the standard TWebModule from "Web.HTTPApp" by going to File > New > Web Server Application - Delphi. – Stuart Dec 14 '21 at 14:19
  • Ok, On further investigation, It seems when enabling SSL, Windows Authentication is now sending me Kerberos tickets instead of NTLM (and so the Authorization header is not what I am expecting). Now I need to find out how to get hold of the value used to encrypt the token from within my application. – Stuart Dec 14 '21 at 15:48

1 Answers1

0

When you create a "Web Service Application" project, Delphi creates a TIdHTTPWebBrokerBridge object by default as Server :

type
  TForm1 = class(TForm)
    ...
  private
    FServer: TIdHTTPWebBrokerBridge;
    procedure StartServer;
    ...
  end;

During the wizard of creating Web Service Application project, you have an option to use HTTPS :

enter image description here

By Activating this check-box, you will be prompted for information of a Certificate file :

enter image description here

You can search a bit about SSL Certificate files, but you can use OpenSSL to create a self-signed SSL Certificate, here are some useful explanations: https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/

And regarding using OpenSSL : How to generate a self-signed SSL certificate using OpenSSL?

Here are the OpenSSL binary file and Indy SSL required DLL files: https://github.com/IndySockets/OpenSSL-Binaries

....

After creating your project by activating HTTPS option you will have some other things included by default, the main difference is that now the TIdHTTPWebBrokerBridge component is using a TIdServerIOHandlerSSLOpenSSL component as IO-Handler:

procedure TForm1.FormCreate(Sender: TObject);
var
  LIOHandleSSL: TIdServerIOHandlerSSLOpenSSL;
begin
  FServer := TIdHTTPWebBrokerBridge.Create(Self);
  LIOHandleSSL := TIdServerIOHandlerSSLOpenSSL.Create(FServer);
  LIOHandleSSL.SSLOptions.CertFile := '';
  LIOHandleSSL.SSLOptions.RootCertFile := '';
  LIOHandleSSL.SSLOptions.KeyFile := '';
  LIOHandleSSL.OnGetPassword := OnGetSSLPassword;
  FServer.IOHandler := LIOHandleSSL;
end;

You just need to make SSL Certificate files and put their addresses on OnCreate event as shown above, that IOHandler will handle SSL decryption

Mahmoud_Mehri
  • 1,643
  • 2
  • 20
  • 38
  • Sorry, I am hosting this in IIS so I choose the ISAPI Dynamic Link Library option to create the project. So I do not get the options to specify the SSL certificate. I assumed from that point, IIS would give me (the application) the unencrypted headers as the data had made it safely to the application at this point, but instead, the header seems to be encrypted still. I have amended my response to provide examples of the values I get when I use SSL and when I dont. – Stuart Dec 14 '21 at 15:07
  • 1
    Note that `TIdHTTPWebBrokerBridge` is a `TIdCustomHTTPServer` descendant, and in order to use SSL/TLS on a non-standard HTTPS port (like 8080) in that server, you need to use its `OnQuerySSLPort` event. – Remy Lebeau Dec 14 '21 at 15:27