1. 技术文章
  2. How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

吃可爱长大的小学妹 提交于 2019-11-27 11:38:52

问题


I am programming a client application in .Net that communicates with server via HTTP.

I need to set different request buffering options in case of NTLM and Kerberos authorization.

How to find out if NTLM or Kerberos is used? Is it possible to somehow decode 'WWW-Authenticate: Negotiate' header?


回答1:


You will find answer here.

Short answer is:

1.Capture some successfully authorized request using Fiddler tool.
2.Choose "Inspectors" -> "Headers" tab.
3.Pay attention at "Cookies / Login" section, "Authorization" header.

If the Authorization token begins with "YII" then Kerberos is used, but if it begins with "TlR" then Kerberos is not used.

For example Kerberos:

Authorization: Negotiate YIIVDAYGKwYBE...

Not Kerberos:

Authorization: Negotiate TlRMTVNTUA...



回答2:


Parsing a Negotiate header is sort of a tedious exercise as it's built using ASN.1 DER.

That said, you may not necessarily need to decode this however to make a good assumption about the payload. While there is a mechanism in GSSAPI for NTLM (more on that below), in my experience clients do not actually use it, they simply send NTLM headers. In my (admittedly strictly controlled) environment, if I see Authorization: NTLM ... then this is guaranteed to be NTLM. If I see Authorization: Negotiate ... then this is guaranteed to be Kerberos.

Strictly speaking, you should look at the mechanism list in the header to determine whether the mechanism was NTLM or Kerberos. I would recommend either using an off-the-shelf ASN.1 decoder, or looking at Microsoft's decoding example. You're going to want to look for the SPNEGO OID (1.3.6.1.5.5.2), then look for the mechanism type sequence within that. The first mechanism in the sequence corresponds to the response token payload, so you can look at that OID to determine the mechanism. Some known OIDs for Kerberos are:

1.2.840.113554.1.2.2 (Kerberos 5)
1.2.840.48018.1.2.2 (Microsoft Kerberos 5)
1.3.5.1.5.2 (Kerberos 5 OID 2)

To my knowledge, the only OID for NTLM is (referenced from this blog):

1.3.6.1.4.1.311.2.2.10 (NLMP NTLM)



回答3:


If the server advertises to user Negotiate you are free to use Kerberos, NTLM oder something is supported by SPNEGO. Though, there is no guarantee that the server supports every wrapped auth method sent by the client.




回答4:


Yes; just Base64 decode it and you will see "NTLM" or "HTTP".

C#

v = BitConverter.ToString(Convert.FromBase64String(v.Replace("Negotiate: ","")));
if (v.indexOf("NTLM") > -1) {
    //...
}


来源:https://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header

标签
.net
kerberos
ntlm
negotiate
www-authenticate
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!