0

I succesfully configured ntlm authentication. Unfortunately config allows semi basic authorization. For example when I'm using tortoise svn1.8.4(with serf access lib), chrome or IE web browsers, they authenticate NTLM succesfully without prompting anything. In log file I see authenticated users. Unfortunately when I'm using for example unconfigured FireFox or Maxthon, that browserws prompts me for credentials. I don't need this, because the same situation is when I'm trying access from out of domain computer.

I'm using windows server as domain controller, windows7/8 as system client, linux/debian as web server. I configured kerberos from linux do windows AD, winbind for local NTLM authentication and apache 2.2 series. For apache authentication glue I use mod_auth_ntlm_winbind.so apache2 module, and under directory/location config ntlm helper for communicate with winbind. This works properly, example for apache:

<Directory /var/www/>
  #defaults for main www directory
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  #modified, prevent for any ip access, for future add authless access from specified hosts
  Order deny,allow
  deny from all
  #allow from IP/mask
  #settings for NTLM auth with winbind helper
  AuthName "NTLM Authentication"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth  --domain=MY.WINDOWS.DOMAIN --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
  #because ip is default deny
  satisfy any
</Directory>

I hoped, maybe I can do some redirection using apache authtype variable, then I added to config above rewritting:

  RewriteEngine on
  RewriteRule ^ /cgi-bin/TestAuth.pl?DollarOne=1&AUTH_TYPE=%{AUTH_TYPE}&REMOTE_USER=%{REMOTE_USER}

And example script TestAuth.pl as cgi content:

#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper; #easy way for print system variables
print "Content-type:text/plain\r\n"; #respectint HTML protocol
print "\r\n";
print "Enviroment contains:\r\n";
print "x\r\n";
print Data::Dumper->Dump([\@ARGV,\%ENV],[qw(ARGV ENV)]); #prints all script arguments and process variables

Unfortunately in all cases, with windows based auth ntlm and prompted credential, I allways see AUTH_TYPE is allways NTLM. Then there is no way to recognize what browser does. In that situation I can access from clients out of domain.

I tryed wrap ntlm hepler by strace. Unfortunately I don't see anythink important in its dump with four way combining success/failed auth and access by IE non prompted ant FF prompted. I think the same situation occurs when ntlm helper authenticates to local samba server, but I never tested this.

Now I'm trying do some config with multiple auth type, Basic and NTLM. I try do Basic first and filter out this with allways fail and redirect it to info page. Unfortunately at now without success with NTLM mix :( NTLM is allways done first.

Then anybody have an idea how to prevent credentials prompting? How to revoke access from prompted clients? How to recognize credentials are from prompt or from windows client api?

Znik
  • 338
  • 1
  • 3
  • 12

2 Answers2

0

Using NTLM authentication doesn't guarantee a credential-less login. If you have valid windows credentials that the server can recognize, you won't get a password prompt.

If the user doesn't have valid NTLM pass-through credentials, they will be prompted to provide them. It is no way reverting to 'basic' authentication.

Unfortunately, there is no way to tell if a user provided the credentials or if they were passed-through by the system.

Perhaps ask a new question outlining what you want your users to experience (ie different sites for internal and external users) and someone may be able to help in a different way.

Ryan Newington
  • 358
  • 1
  • 6
  • Users are like users. They allways blames admins for everything :) specially client side password storing, then locking them :P. But can you give me any url's explayned how authentication keys are exchanded between components? I think no prompting is different to prompting method. Maybe inside ntlm helper some exchange can be filtered out and revoke access? It's my last hope. – Znik Feb 18 '14 at 09:47
  • The client sends a GET request to the server. The server responds with a 401 Authentication Required (NTLM) message. If the client has pass-through credentials available, it re-sends the GET request with the NTLM authentication information. If it doesn't, it prompts the user for credentials, and then sends them. As you can see in this transaction, the server has no knowledge of where the credentials came from. This is just how HTTP authentication works, with any auth protocol, even basic. – Ryan Newington Feb 18 '14 at 09:55
  • A brief overview of HTTP authentication. http://en.wikipedia.org/wiki/Basic_access_authentication – Ryan Newington Feb 18 '14 at 09:58
  • Thank you for response, this is helpfull :) unfortunately I can't sign you up because my starting reputation. Then I'll try other ways, kerberos, sspi and maybe others. Thank you again. – Znik Feb 18 '14 at 10:41
  • You're not going to be able to do what you are after with any HTTP authentication method. Again, it would be helpful if you posted your desired **outcome** as a question, rather than the way you think it can be solved. If I can assume, you want to allow NTLM logins for domain computers, and not others. The only way I know of to do this is use group policy to push out a custom UserAgent string to your domain based PCs. You can then detect this in apache and send them to the NTLM-enabled site. If you don't detect your agent string, then send them somewhere else (forms auth perhaps)? – Ryan Newington Feb 18 '14 at 10:50
  • You should still be able to mark the answer as 'accepted' even with your reputation. – Ryan Newington Feb 18 '14 at 10:50
  • Yes, you're right. I want allow access to page to only domain users from domain registered stations. Web client credentials popup breaks this. I think, last chance is NTLM frames filtering. Maybe "popup" signed frames are different to OS session key signed frames. This should resolve my problem, but is only little chance to implement. – Znik Feb 19 '14 at 07:48
0

At now I resolved this problem switching NTLM to Kerberos authentication. All prepared for winbind is working directly under kerberos, because I earlier configured kerberos for winbind with AD server communication. Because kerberos is open, developers predicted different subauthentication on user endpoint. Very helpfull is flag in apache2.2 kerberos module:

KrbMethodNegotiate on
KrbMethodK5Passwd off

This cause what I want. Browser get krb frame with attribute "Don't popup user fo credentials", then client simply don't do this. But if yes (any incompatibility?), apache server module should detect this and should revoke authentication.

Using microsoft's NTLM this is impossible because protocol is spoiled. First NTLM frame after web return code 201 doesn't have possibility for adding attribute "don't prompt user for credentials". Then I can filter that frame after popup or OS session key sign. This cause browser allways display popup when OS session key is unavailable.

Eventually is another chance. User takes some time for writting credentials, or accept when credentials are stored in browser. I can count time between sending auth frame to browser, and frame incomming from client. When time is too long I can revoke. Unfortunately this may make false unauthentication on busy computers or networks.

I'll try both methods in the future :) It will be funny if all can be done under apache winbind auth module. Then all config can be encapsulated under apache, the same like for kerberos auth.

Thank you all for interesting, investigations and help :)

Znik
  • 338
  • 1
  • 3
  • 12
  • this does not actually solve your problem. Try it using IE from a non windows box or outside you internal network and you will find that a basic auth popup comes up even if you have KrbMethodNegotiate on KrbMethodK5Passwd off – droid-zilla Mar 30 '14 at 13:34
  • You're right, but when popup come, user still cannot logon. It is what I want. When external users are not allowed because they cannot contact with server domain, it is simply add rewrite or redirect rule that inform user about restriction. That behavior is depended on company rules. Finally, kerberos works for me. But ntlm should aither but I have no time to write some script. It is needed ntlm frame inspection, or time delay between sending seed and receiving signed message from client. Time count is last chance, but this can inform about fake popup when network delay occurs. – Znik Apr 01 '14 at 09:00