5

I am wondering if we are using NTLM (Windows) authentication - how server determines if user is already logged on or not. So when I first time access the site - the server tells me he want to authenticate me via NTLM:

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

Then client and server exchanging few requests - actually challenge/response phase happens here, particularly server generates and sends challenge to client, client calculates response based on it and sends back, and then server contact Domain Controller to verify it. Ok, we're done.

But when I am authenticated and go to any page, there are no any authentication headers anymore. How does server know that I'm already authenticated?

P.S. I thought IIS ties client by MAC or IP but indeed that's not true. NTLM works for single browser. Also no NTLM specific cookies were found.

seeker
  • 3,255
  • 7
  • 36
  • 68

1 Answers1

6

NTLM over http is using HTTP persistent connection or http keep-alive.

A single connection is created and then kept open for the rest of the session.

If using the same authenticated connection, it is not necessary to send the authentication headers anymore.

This is also the reason why NTLM doesn't work with certain proxy servers that don't support keep-alive connections.

Peter Hahndorf
  • 10,767
  • 4
  • 42
  • 58
  • Thanks, indeed I haven't thought about that. BTW - according to wikipedia `Persistent connections time out after 60 seconds of inactivity which is changeable via the Windows Registry.`. Does that mean that browser send kerberos ticket every 1-2 minutes? – seeker Oct 06 '16 at 12:59
  • I don't really know the details of the implementation, I guess the credentials are cached in the browser and may be resend if required. You could look at the network traffic to find out. – Peter Hahndorf Oct 06 '16 at 13:03
  • @PeterHahndorf, Can you look my question: https://stackoverflow.com/questions/56538498/how-to-change-lan-manager-authentication-level-for-using-ntlmv2-on-virtual-machi. Thank you for your help. – S.Balaban Jun 11 '19 at 08:27
  • Server can make use of cookies too right instead of having persistent connection. – Frank Q. Feb 02 '21 at 06:48