NTLM authentication for a web server side application

Question

My Windows based application written in C++ ( basically an HTTP/1.1 proxy server) listens for requests from various users. Presently it is able to send a 407 Basic Challenge, and process the response from the Headers. I know I must modify the challenge headers, so that the client browsers make an NTLM based response for the purpose of authentication. But my question is - how do I generate the correct tokens, nonce, etc. for the 407 Authentication Challenge, and then how do I validate if the received responses are correct? Finally I would like to record the client's username and other LDAP / ADS properties if possible.

Please be kind, and redirect me to the correct posts if there are already any threads that discuss something similar. Most research on the WWW leads me only to the client-side programming, very little or almost none - for the coding that must be done in the HTTP server.

All of you great hacks around here, a BIG thanks in advance.

Answer 1

The short answer is that I think this Using SSPI with a Windows Sockets Server sample is your best starting place and it should demonstrate the basic SSPI calls you need. It's written for a plain TCP server, but the challenge/response data is sent over HTTP without much extra complexity.

[MS-N2HT]: Negotiate and Nego2 HTTP Authentication Protocol

I second the recommendation of reviewing the mod_auth_sspi for Apache code

Personally, I would also try attaching a low-level debugger to IIS and see how he goes about calling the SSPI functions, but that may not be your cup of tea.

After you've gotten that far with SSPI, obtaining the username should be a piece of cake (but ask if you need help). LDAP/AD properties for the user can be queried with those APIs.

The long answer involves little light reading:

Integrated Windows Authentication in Wikipedia

SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

HTTP-Based Cross-Platform Authentication via the Negotiate Protocol (Part 1 of 3)

Part 3 has some interesting code samples as well.

Hope this helps!

Answer 2

There's code in httpauth which could help you. It uses smbval code to parse NTLM message 1 and 3. See: http://memberwebs.com/stef/software/httpauth/