How to test a HTTP client using NTLM authentication?

Question

I have some code acting as an HTTP client which supports basic authentication as well as NTLM authentication. I can easily test that basic authentication works by requiring a username/password to access a file in the .htaccess on an Apache server. But how can I test NTLM authentication, short of installing IIS? Are there by any chance any public HTTP servers that accept NTLM authentication?

Answer 1

I was looking for the same question ("how to set-up a ntlm proxy dummy server") and found this. So here is my solution, on how to set up a forwarding NTLM authentication for a proxy server, without using IIS server from Microsoft. Instead we will use Apache httpd.exe

1. Download Apache HTTP server Apache 2.4.29. I used the windows 32bit (VC14) version binaries from ApacheHaus
2. Download the matching module Mod Auth NTLM for, in my case mod_authn_ntml-1.0.8-2.4.x-x86-vc14.zip
3. Install the server, and the module, and configure everything so the server will start up and you see the default webpage when you browse to your localhost

4. Now edit the conf/httpd.conf configure file again, and make these changes:

   #Make sure to load at least the modules, and their dependencies:
   LoadModule headers_module modules/mod_headers.so
   LoadModule info_module modules/mod_info.so
   LoadModule ldap_module modules/mod_ldap.so
   LoadModule proxy_module modules/mod_proxy.so
   LoadModule proxy_connect_module modules/mod_proxy_connect.so
   LoadModule proxy_http_module modules/mod_proxy_http.so
   LoadModule request_module modules/mod_request.so
   LoadModule rewrite_module modules/mod_rewrite.so
   LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
   LoadModule ssl_module modules/mod_ssl.so
   LoadModule status_module modules/mod_status.so
   
   #add the new module
   LoadModule auth_ntlm_module modules/mod_authn_ntlm.so
   

Enable the proxy server. Be warned, you may open an open proxy server to the internet...

     ProxyVia On
     ProxyRequests On 

    <Proxy "*">
        AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>
    </Proxy>

Or, if you just want to secure just one directory, you can copy the code from the mod_authn_ntml config example:

  <Location /testDirectory >
    AuthName "Private location for testing NTLM authentication"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
            #require sspi-user EMEA\group_name
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
            Require user "NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"
        </RequireNone>
    </RequireAll>

    # use this to add the authenticated username to you header
    # so any backend system can fetch the current user
    # rewrite_module needs to be loaded then

     RewriteEngine On
     RewriteCond %{LA-U:REMOTE_USER} (.+)
     RewriteRule . - [E=RU:%1]
     RequestHeader set X_ISRW_PROXY_AUTH_USER %{RU}e

  </Location>

5. To capture the local loopback traffic and to debug what's going on, you need to install Wireshark 2.4.4 and then the special npcap-0.97.exe loopback-capture driver. With this you can sniff the traffic between your browser and your local web-server

   6. If you want to use the NTLM authentication for the proxy server, you will need to follow the advice from mod_ntlmn_auth GitHub page and set the flag DisableLoopbackCheck in the registry (see https://support.microsoft.com/en-us/kb/896861 ), otherwise all local authentication requests will silently fail.

   7. Set up your browser to use your local IP address as a proxy server. If everything works, the browser will send your credentials in the background.

   8. To see what's going on, you can now check your Wireshark logs, and the also the Apache logs/access.log shows you the Domain\User that was used for authentication.

Hope that helps someone out there to test their proxy scripts, because a lot of proxy software I encounter can't handle NTLM proxies correctly, which is important in a business environment.

Answer 2

As you have probably already realised, because NTLM is a proprietary authentication protocol (that doesn't have any official public documentation provided by Microsoft), you're going to have to either test against an actual IIS server running on Windows, or you could try and mock the authentication scheme using details gleaned from documentation such as this:

NTLM Authentication Scheme for HTTP

You won't find many public HTTP servers (if any) on the internet that you'll be able to test against. NTLM authentication is generally deployed for corporate use such as authenticating against Active Directory and are most often locked behind company VPN's.

I'd bite the bullet and fire up an instance of Windows (Microsoft let you download plenty of 120 day trials of Windows 2008 etc) in a Virtual Machine and test against that.