4

I know that you can enable NTLM authentication in an ASP.Net app using:

<authentication mode="Windows" />

However - I need to handle Forms, HTTP and other custom authentications in the same app, so ASP.Net's limited built-in support is no use.

The NTLM handshake should be fairly simple:

Request  - [unauthenticated - no user info passed]

Response - 401 Unauthorized
           WWW-Authenticate: NTLM


Request  - Authorization: NTLM <base64-encoded type-1-message>

Response - 401 Unauthorized
           WWW-Authenticate: NTLM <base64-encoded type-2-message>


Request  - Authorization: NTLM <base64-encoded type-3-message>

           Server can now check username/password against LDAP from type-3 message
Response - 200 Ok [now authenticated & authorised]

So to roll my own I need to parse type-1 and type-3 messages and generate a type-2 message.

The structure for those messages is well documented but fairly complex - it seems very messy to write my own message generators and parsers. I think the methods to read and write these messages should already be in .Net, but I haven't been able to find them.

How can I build and parse these NTLM messages using .Net?

Keith
  • 150,284
  • 78
  • 298
  • 434
  • How do you plan to secure static files on your website under all of these different authentication strategies? – Shan Plourde Jan 18 '11 at 12:28
  • @Shan Plourde - that's a good point. HTTP auth is for data services and never used for static content. NTLM falls back to Forms for the browsers that don't support it. However it's probably simpler than that for us: our static content is all image, js and css files - they're all available to anonymous users anyway. – Keith Jan 18 '11 at 12:44
  • We had created a custom authentication strategy (based on a login form) in ASP.NET before that was largely based on an existing custom Active Directory authentication API (our backing user store is an Active Directory). If your backing store is also Active Directory, then you could probably create the same sort of custom authentication strategy that used Active Directory to validate user accounts. Is that sort of what you're looking for? – Shan Plourde Jan 18 '11 at 13:26
  • @Shan Plourde - we already do - Forms auth checks the username/password against their LDAP server. Some clients have asked about NTLM auth so I'm investigating support for it. – Keith Jan 18 '11 at 13:33
  • Not sure, but I've always associated NTLM with Active Directory. ASP.NET has an out of the box provider for this, http://msdn.microsoft.com/en-us/library/ff650308.aspx. There are also custom approaches, such as http://www.beansoftware.com/ASP.NET-Tutorials/Forms-Authentication-Active-Directory.aspx. Not sure if I'm understanding your need properly though, but the second approach was similar to what we did. – Shan Plourde Jan 18 '11 at 13:39
  • @Shan Plourde - NTLM is an _authentication_ method - it's how you check what user is currently trying to do stuff. We already use (and your examples too) LDAP for _authorisation_ i.e. checking what that user is then allowed to do. Both of your examples that use LDAP for _authorisation_, but then create a cookie for _authentication_. We want to use NTLM for _authentication_ - there should be no cookie. – Keith Jan 18 '11 at 14:26
  • Do you have any flexibility with web server configuration? What SharePoint seems to do is to map different authentication schemes to different sites/vdirs/apps in IIS. So for NTLM you have one URL and a different one for each other type of authentication. You could point to the same place on disk but you'd need to wire up the authentication provider somewhere other than web.config to avoid the need for different physical file paths. – Brian Lyttle Jan 18 '11 at 16:05
  • @BrianLy - not loads and all the users go to the same URL. I'm trying to avoid using the web.config. The HTTP challenge response bit is actually very easy, the messy bit is the 3 encrypted messages that needs to be generated and parsed. ASP and/or IIS is already doing that (when you use the web.config), I just want to isolate the methods that do it and call them myself. – Keith Jan 19 '11 at 09:43

1 Answers1

1

Cassini supports NTLM authentication, so you could use the source to more easily create a class which parses the NTLM authorization messages.

http://cassinidev.codeplex.com/

Peter Loh
  • 11
  • 1
  • One problem with the NTLM authentication class from CassiniDev is that it only seems to work with the local machine. Remote connections get a "The token supplied to the function is invalid" error – Tom Lint Jun 03 '16 at 15:22
  • Actually, scratch that-- the problem was that IIS for some weird reason intercepted the NTLM authentication messages, even though Windows Authentication was disabled. I had to remove the Windows Authentication modules via the web.config to get it to work. – Tom Lint Dec 13 '16 at 15:27