I have to access a web server at http://someserver and it requires some authentication. How can I tell if it is using NTLM, Kerberos or whatever it may be?
Asked
Active
Viewed 9,157 times
3 Answers
13
Another way to do this is to look at the first few bytes of the header.
If it starts with Negotiate TlR then you're doing SPNEGO over NTLM
If it starts with Negotiate YII then you're doing SPNEGO over Kerberos.
Grant
Grant Cermak
- 1,808
- 1
- 19
- 23
6
Use a tool like Fiddler to look at the response headers. The server will send back some "WWW-Authenticate" headers that list the different security protocols that are supported.
David
- 34,223
- 3
- 62
- 80
-
Fiddler will also tell you if you're using NTLM vs Kerberos by parsing the www-authenticate header. – Christopher G. Lewis Feb 04 '10 at 14:47
4
To extend Grant Cermak's answer:
WWW-Authenticate header is base64 encoded. When it starts with TlR, after decoding it, we see that it starts with NTLMSSP (http://msdn.microsoft.com/en-us/library/cc236641.aspx) so we know that it's NTLM.
When it starts with YII, after decoding we see that it starts with bytes 0x60, 0x82 (i.e. Application Constructed Object), then there are two bytes for length of whole token, and then there's: 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 (i.e. a SPNEGO OID: 1.3.6.1.5.5.2). (http://msdn.microsoft.com/en-us/library/ms995330.aspx). We know that it's a SPNEGO token.
Depending on length of spnego token, WWW-Authenticate header may start from YA to YP.
Kamil & SPL
greenmarker
- 1,599
- 1
- 21
- 29