Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

I am programming a client application in .Net that communicates with server via HTTP.

I need to set different request buffering options in case of NTLM and Kerberos authorization.

How to find out if NTLM or Kerberos is used? Is it possible to somehow decode 'WWW-Authenticate: Negotiate' header?

like image 906
IT Hit WebDAV Avatar asked Apr 08 '11 15:04

IT Hit WebDAV


People also ask

How do I know if I have NTLM or Kerberos authentication?

If you need to identify what is being used at this moment the only way to recognize this is from the logs at log level 4. Once Kerberos authentication is enabled in EasySSO settings - the server and the browser will start exchanging "Negotiate" headers.

How do you know if Kerberos is being used?

The easiest way to determine if Kerberos authentication is being used is by logging into a test workstation and navigating to the web site in question. If the user isn't prompted for credentials and the site is rendered correctly, you can assume Integrated Windows authentication is working.

How can I tell if my server is NTLM?

To find applications that use NTLMv1, enable Logon Success Auditing on the domain controller, and then look for Success auditing Event 4624, which contains information about the version of NTLM.

What is the difference between Negotiate and NTLM authentication?

Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly improves upon NTLM.


2 Answers

You will find answer here.

Short answer is:

1.Capture some successfully authorized request using Fiddler tool. 2.Choose "Inspectors" -> "Headers" tab. 3.Pay attention at "Cookies / Login" section, "Authorization" header. 

If the Authorization token begins with "YII" then Kerberos is used, but if it begins with "TlR" then Kerberos is not used.

For example Kerberos:

Authorization: Negotiate YIIVDAYGKwYBE... 

Not Kerberos:

Authorization: Negotiate TlRMTVNTUA... 
like image 50
Taras Kozubski Avatar answered Sep 29 '22 18:09

Taras Kozubski


Parsing a Negotiate header is sort of a tedious exercise as it's built using ASN.1 DER.

That said, you may not necessarily need to decode this however to make a good assumption about the payload. While there is a mechanism in GSSAPI for NTLM (more on that below), in my experience clients do not actually use it, they simply send NTLM headers. In my (admittedly strictly controlled) environment, if I see Authorization: NTLM ... then this is guaranteed to be NTLM. If I see Authorization: Negotiate ... then this is guaranteed to be Kerberos.

Strictly speaking, you should look at the mechanism list in the header to determine whether the mechanism was NTLM or Kerberos. I would recommend either using an off-the-shelf ASN.1 decoder, or looking at Microsoft's decoding example. You're going to want to look for the SPNEGO OID (1.3.6.1.5.5.2), then look for the mechanism type sequence within that. The first mechanism in the sequence corresponds to the response token payload, so you can look at that OID to determine the mechanism. Some known OIDs for Kerberos are:

1.2.840.113554.1.2.2 (Kerberos 5) 1.2.840.48018.1.2.2 (Microsoft Kerberos 5) 1.3.5.1.5.2 (Kerberos 5 OID 2) 

To my knowledge, the only OID for NTLM is (referenced from this blog):

1.3.6.1.4.1.311.2.2.10 (NLMP NTLM) 
like image 33
Edward Thomson Avatar answered Sep 29 '22 18:09

Edward Thomson