Network trace sample of web access by a web proxy client using kerberos authentication

For people who love to see network trace and would like to see network traffic when a web proxy client accesses internet through ISA server and uses Kerberos authentication

here is the sample. I will add more comments in it  whenever time permits me to give more readibility. This is like a reference what would you expect in network traffic for comparisons or for understanding of behaviour

***********************************************************************************************************************************************************************************************

Web access by web proxy client : Kerberos Authentication (Notice how many packets(only two) exchanged between ISA and client for authentication to compare it with NTLM authentication (to get internet access through ISA) which i will discuss in my next post) : which makes it a good case to think about how much traffic is reduced by using kerberos authentication

TCP hand shake

2 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP:Flags=......S., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992582363, Ack=0, Win=65535 ( ) = 65535 {TCP:2, IPv4:1}

3 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283664136, Ack=992582364, Win=16384 ( Scale factor not supported ) = 16384 {TCP:2, IPv4:1}

4 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992582364, Ack=283664137, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

The Get request after tcp handshake

5 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 HTTP HTTP:Request, GET https://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}

Acknolegement of Frame 5

6 03:46:14.6801910 21829.3111910 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283664137, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}

Proxy authentication required message from the ISA server with status code 407

7 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: https://www.bing.com/ Using Multiple Authetication Methods, see frame details {HTTP:3, TCP:2, IPv4:1}

Details of frame 7 as below for deeper insight ( we will see ISA server sends authentication methods it supports in the "ProxyAuthenticate" header to client)

Note : this happens if we have a internet access rule on ISA/TMG that allows access only to authenticated users.

*************************************************************************************

  Frame: Number = 7, Captured Frame Length = 1514, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-58-87-02],SourceAddress:[00-15-5D-58-87-03]

+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.10, Next Protocol = TCP, Packet ID = 1124, Total IP Length = 1500

+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283664137 - 283665597, Ack=992583031, Win=64868 (scale factor 0x0) = 64868

- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: https://www.bing.com/ Using Multiple Authetication Methods, see frame details

    ProtocolVersion: HTTP/1.1

    StatusCode: 407, Proxy authentication required

   Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

    Via: 1.1 ISA-NEW

  - ProxyAuthenticate: Negotiate

   - Authenticate: Negotiate

      WhiteSpace:

      AuthenticateData: Negotiate

  - ProxyAuthenticate: Kerberos

   - Authenticate: Kerberos

      WhiteSpace:

      AuthenticateData: Kerberos

  - ProxyAuthenticate: NTLM

   - Authenticate: NTLM

      WhiteSpace:

      AuthenticateData: NTLM

    Connection: Keep-Alive

    ProxyConnection: Keep-Alive

    Pragma: no-cache

    Cache-Control: no-cache

  - ContentType: text/html

     MediaType: text/html

    ContentLength: 4111

    HeaderEnd: CRLF

  - payload: HttpContentType = text/html

     HtmlElement: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

     HtmlElement:

<HTML>

     HtmlElement: <HEAD>

     HtmlElement: <TITLE>

     HtmlElement: Error Message</TITLE>

     HtmlElement:

<META http-equiv=Content-Type content="text/html; charset=UTF-8">

     HtmlElement:

<STYLE id=L_default_1>

     HtmlElement: A {

                FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: #005a80; FONT-FAMILY: tahoma

}

A:hover {

                FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: #0d3372; FONT-FAMILY: tahoma

}

TD {

                FONT-SIZE: 8pt; FONT-FAMILY: tahoma

}

TD.titleBorder {

                BORDER-RIG

 

*************************************************************************************

Continuation to Proxy authentication required frame # 7 and respective Acknowledgements.

8 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283665597 - 283667057, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}

9 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992583031, Ack=283667057, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

10 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283667057 - 283668517, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}

11 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=137, Seq=283668517 - 283668654, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}

12 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992583031, Ack=283668654, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

Authorization Response by the client.

13 03:46:26.7426910 21841.3736910 iexplore.exe 192.168.0.10 192.168.0.1 HTTP HTTP:Request, GET https://www.bing.com/ , Using GSS-API Authorization {HTTP:3, TCP:2, IPv4:1}

Details( client sends kerb Ap Request KRB_AP_REQ (14)  with kerberos token i.e. - Ticket: Realm: CORPA.LOCAL, Sname: HTTP/isa-new.corpa.local

as shown below

*************************************************************************************

  Frame: Number = 13, Captured Frame Length = 2446, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-58-87-03],SourceAddress:[00-15-5D-58-87-02]

+ Ipv4: Src = 192.168.0.10, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15714, Total IP Length = 2432

+ Tcp: [Bad CheckSum]Flags=...AP..., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=2392, Seq=992583031 - 992585423, Ack=283668654, Win=65535 (scale factor 0x0) = 65535

- Http: Request, GET https://www.bing.com/ , Using GSS-API Authorization

    Command: GET

  + URI: https://www.bing.com/

    ProtocolVersion: HTTP/1.1

    Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*

    Accept-Language: en-us

    UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

    Accept-Encoding: gzip, deflate

    ProxyConnection: Keep-Alive

  + Cookie: MUID=B4E2B7A6025A4BCBB5AE84B1F4BC646D; SRCHD=MS=1367625&D=1055001&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20100102; _UR=OMW=1&OMF=1; SRCHUID=V=2&GUID=FF1CEFDA48FD47B495A1C2B71E5C5B3B

  - ProxyAuthorization: Negotiate

   - Authorization: Negotiate YIIE8QYGKwYBBQUCoIIE5TCCBOGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBLcEggSzYIIErwYJKoZIhvcSAQICAQBuggSeMIIEmqADAgEFoQMCAQ6iBwMFACAAAACjggO/YYIDuzCCA7egAwIBBaENGwtDT1JQQS5MT0NBTKImMCSgAwIBAqEdMBsbBEhUVFAbE2lzYS1uZXcuY29yc

      WhiteSpace:

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - InitialContextToken:

       + ApplicationHeader:

       - ThisMech: SpnegoToken (1.3.6.1.5.5.2)

        + MechType: SpnegoToken (1.3.6.1.5.5.2)

       - InnerContextToken: 0x1

        - SpnegoToken: 0x1

         + ChoiceTag:

         - NegTokenInit:

          + SequenceHeader:

          + Tag0:

          - MechTypes: Prefer MsKerberosToken (1.2.840.48018.1.2.2)

           + SequenceHeader:

           + MechType: MsKerberosToken (1.2.840.48018.1.2.2)

           + MechType: KerberosToken (1.2.840.113554.1.2.2)

           + MechType: NLMP (1.3.6.1.4.1.311.2.2.10)

          + Tag2:

          + OctetStringHeader:

          - MechToken: 0x1

           - MsKerberosToken: 0x1

            - KerberosInitToken:

             + ApplicationHeader:

             - ThisMech: KerberosToken (1.2.840.113554.1.2.2)

              + MechType: KerberosToken (1.2.840.113554.1.2.2)

             - InnerContextToken: 0x1

              - KerberosToken: 0x1

                 TokId: Krb5ApReq (0x100)

               - ApReq: KRB_AP_REQ (14)

                + ApplicationTag:

                + SequenceHeader:

                + Tag0:

                + PvNo: 5

                + Tag1:

                + MsgType: KRB_AP_REQ (14)

                + Tag2: 0x1

                + ApOptions:

                + Tag3:

                - Ticket: Realm: CORPA.LOCAL, Sname: HTTP/isa-new.corpa.local

                 + ApplicationTag:

                 + SequenceHeader:

                 + Tag0:

                 + TktVno: 5

                 + Tag1:

                 + Realm: CORPA.LOCAL

                 + Tag2: 0x1

                 - Sname: HTTP/isa-new.corpa.local

                  + SequenceHeader:

                  + Tag0:

                  + NameType: NT-SRV-INST (2)

                  + Tag1:

                  + SequenceOfHeader:

                  + NameString: HTTP

                  + NameString: isa-new.corpa.local

                 + Tag3: 0x1

                 - EncPart:

                  + SequenceHeader:

                  + Tag0:

                  + EType: rc4-hmac (23)

                  + Tag1:

                  + KvNo: 5

                  + Tag2:

                  + Cipher: ð?LMÖ.5ð

 


 

?ÄR-%mg?ÖÛQT?á
¯Õ~?¸ÿs/?S`¥Þh©1¾?ݯìøÖ±ÔÈg?ÏÒ?ì¼dÄ

 

 

 

¼)

                + Tag4:

                + Authenticator:

    Host: www.bing.com

    HeaderEnd: CRLF

*************************************************************************************

Acknowledgement and then Status 200 OK in frame 29 which means that user has been authenticated and we got 200OK from server.

14 03:46:26.7426910 21841.3736910 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283668654, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

29 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: https://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}

***********************************************************************************

Data and corresponding acknowledgements

30 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283670114 - 283671574, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

31 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283671574 - 283673034, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

and after that data is downloaded/received by client as highlighted above and as shown below with payload of data sent by isa server after receiving from web server

32 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283673034, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

33 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283673034 - 283674494, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

34 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=813, Seq=283674494 - 283675307, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

35 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283675307, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

36 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: https://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}

37 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283676767 - 283678227, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

38 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283678227 - 283679687, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

39 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283679687 - 283681147, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

40 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283681147 - 283682607, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

41 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=660, Seq=283682607 - 283683267, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

42 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283683267, Win=64875 (scale factor 0x0) = 64875 {TCP:2, IPv4:1}

43 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: https://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}

44 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #43]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=688, Seq=283684727 - 283685415, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

45 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283685415, Win=62727 (scale factor 0x0) = 62727 {TCP:2, IPv4:1}

46 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP:[Dup Ack #45] [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283685415, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

47 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: https://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}

48 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283686875 - 283688335, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

49 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283688335 - 283689795, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

50 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283689795 - 283691255, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

51 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283691255, Win=64075 (scale factor 0x0) = 64075 {TCP:2, IPv4:1}

52 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=204, Seq=283691255 - 283691459, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

53 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283691459, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

54 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: https://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}

55 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #54]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283692919 - 283694379, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

56 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #54]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=408, Seq=283694379 - 283694787, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

57 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283694787, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}

*************************************************************************************

Completion of Data flow and then this data is used by iexplore.exe   n to render on the IE window( data reception and rendering goes simultaneously)