J
J-S-B
Guest
HOWTO do NTLM Authentication/Challenge in C# given the Base64 string.
Please help,
I am trying to perform NTLM Authentication/Challenge in C#, given the Base64 string that the sets of HTTP posts would send, as detailed in this blog:
- - https://blogs.technet.microsoft.com/mist/2018/02/14/windows-authentication-http-request-flow-in-iis/
I want to do this with complete isolation from any TCP/IP/Socket communication, and solely use the Base64 string in C# code, to do the Authentication/Challenge.
To explain another way, I want this:
Client ==> Server
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Encoding: gzip, deflate, peerdist
Accept-Language: en-US, en; q=0.5
Authorization: NTLM TlRMTVN[...]ADw==
Connection: Keep-Alive
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
Server gets the HTTP Header "Authorization" as a string ==> "NTLM TlRMTVN[...]ADw=="
Server calls [Something], passes in ONLY the string.
[Something] returns "Must do challenge" with output "WWW-Authenticate" string ==> "NTLM TlRMTVN[...]AAA"
Server builds a HTTP return, similar tot his:
Server ==> Client
HTTP/1.1 401 Unauthorized
Content-Length: 341
Content-Type: text/html; charset=us-ascii
Date: Tue, 13 Feb 2018 17:57:26 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM TlRMTVN[...]AAA
Client does the challenge, and returns ==> Server
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Encoding: gzip, deflate, peerdist
Accept-Language: en-US, en; q=0.5
Authorization: NTLM TlRMTVN[... much longer ...]AC4A
Connection: Keep-Alive
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
Server gets the HTTP Header "Authorization" of "NTLM TlRMTVN[... much longer ...]AC4A" and calls [Something] with ONLY the string.
[Something] parses the string, and gets the user's domain and name, and validates the user is connected properly.
- - I do not need any password.
For other references, please refer to my post on making one's own web server here:
HOWTO Make a Web Server that supports Windows Integrated Authentication and SSL.
Continue reading...
Please help,
I am trying to perform NTLM Authentication/Challenge in C#, given the Base64 string that the sets of HTTP posts would send, as detailed in this blog:
- - https://blogs.technet.microsoft.com/mist/2018/02/14/windows-authentication-http-request-flow-in-iis/
I want to do this with complete isolation from any TCP/IP/Socket communication, and solely use the Base64 string in C# code, to do the Authentication/Challenge.
To explain another way, I want this:
Client ==> Server
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Encoding: gzip, deflate, peerdist
Accept-Language: en-US, en; q=0.5
Authorization: NTLM TlRMTVN[...]ADw==
Connection: Keep-Alive
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
Server gets the HTTP Header "Authorization" as a string ==> "NTLM TlRMTVN[...]ADw=="
Server calls [Something], passes in ONLY the string.
[Something] returns "Must do challenge" with output "WWW-Authenticate" string ==> "NTLM TlRMTVN[...]AAA"
Server builds a HTTP return, similar tot his:
Server ==> Client
HTTP/1.1 401 Unauthorized
Content-Length: 341
Content-Type: text/html; charset=us-ascii
Date: Tue, 13 Feb 2018 17:57:26 GMT
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: NTLM TlRMTVN[...]AAA
Client does the challenge, and returns ==> Server
GET / HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Encoding: gzip, deflate, peerdist
Accept-Language: en-US, en; q=0.5
Authorization: NTLM TlRMTVN[... much longer ...]AC4A
Connection: Keep-Alive
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299
Server gets the HTTP Header "Authorization" of "NTLM TlRMTVN[... much longer ...]AC4A" and calls [Something] with ONLY the string.
[Something] parses the string, and gets the user's domain and name, and validates the user is connected properly.
- - I do not need any password.
For other references, please refer to my post on making one's own web server here:
HOWTO Make a Web Server that supports Windows Integrated Authentication and SSL.
Continue reading...