Web Proxy client's web access using NTLM authentication
Web Proxy web access using NTLM authentication
Continuation of my previous post of network samples and discussion of benefits of using NTLM vs Kerberos(one more concluding post after this one much shorter J no network trace analysis in it)
80 10:44:15.4937520 17.6177520 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=......S., SrcPort =53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345585, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:23, IPv4:22}
81 10:44:15.4948310 17.6188310 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098244, Ack=2778345586, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 {TCP:23, IPv4:22}
82 10:44:15.4948620 17.6188620 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345586, Ack=2526098245, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}
Client sends get request after TCP handshake
83 10:44:15.4962980 17.6202980 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET https://bing.com/ {HTTP:24, TCP:23, IPv4:22}
ISA acknowledges it
84 10:44:15.7216400 17.8456400 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098245, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
In Frame 166 ISA sends ISA responds with 407, Proxy authentication required
166 10:44:26.6943050 28.8183050 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ Using Multiple Authetication Methods, see frame details {HTTP:24, TCP:23, IPv4:22}
Details( ISA sends authentication methods it supports in proxyauthenticate header as shown below).
*************************************************************************************
Frame: Number = 166, Captured Frame Length = 1514, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]
+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14356, Total IP Length = 1500
+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526098245 - 2526099705, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127
- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ Using Multiple Authetication Methods, see frame details
ProtocolVersion: HTTP/1.1
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 ISA01
+ ProxyAuthenticate: Negotiate
+ ProxyAuthenticate: Kerberos
+ ProxyAuthenticate: NTLM
Connection: Keep-Alive
ProxyConnection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
+ ContentType: text/html
ContentLength: 4113
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
*******************************************************************************
Then acknowledgement for it is sent by client as below.
167 10:44:26.6943910 28.8183910 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
167 10:44:26.6943910 28.8183910 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
168 10:44:26.6944040 28.8184040 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526101165, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}
169 10:44:26.6950010 28.8190010 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526101165 - 2526102625, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
170 10:44:26.6951610 28.8191610 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=137, Seq=2526102625 - 2526102762, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
171 10:44:26.6951710 28.8191710 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}
In frame 172 below we see client replying to ISA’s authentication required message
172 10:44:26.6975050 28.8215050 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET https://bing.com/ , Using GSS-API Authorization {HTTP:24, TCP:23, IPv4:22}
Details of this Frame : Client informs ISA that it will use NTLMSSP for authentication as shown below Signature: NTLMSSP
************************************************************************************
Frame: Number = 172, Captured Frame Length = 551, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]
+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15976, Total IP Length = 537
+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=497, Seq=2778345994 - 2778346491, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400
- Http: Request, GET https://bing.com/ , Using GSS-API Authorization
Command: GET
+ URI: https://bing.com/
ProtocolVersion: HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
ProxyConnection: Keep-Alive
Host: bing.com
- ProxyAuthorization: Negotiate
- Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- NLMP: NTLM NEGOTIATE MESSAGE
Signature: NTLMSSP
MessageType: Negotiate Message (0x00000001)
+ NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)
+ DomainNameFields: Length: 0, Offset: 0
+ WorkstationFields: Length: 0, Offset: 0
+ Version: Windows 6.1 Build 7600 NLMPv15
HeaderEnd: CRLF
*************************************************************************************
Then acknowledgement from ISA for above Frame
173 10:44:26.8779750 29.0019750 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526102762, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630 {TCP:23, IPv4:22}
Then ISA responds in frame 234 with NTLM Challenge
234 10:44:37.5729020 39.6969020 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ , Using GSS-API Authentication {HTTP:24, TCP:23, IPv4:22}
Details of Frame 234: here ISA server sends NTLM server challenge as shown below
ServerChallenge: A5206ACE7D62388F
*************************************************************************************
Frame: Number = 234, Captured Frame Length = 609, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]
+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14445, Total IP Length = 595
+ Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=555, Seq=2526102762 - 2526103317, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630
- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ , Using GSS-API Authentication
ProtocolVersion: HTTP/1.1
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required ( Access is denied. )
Via: 1.1 ISA01
- ProxyAuthenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAG
- Authenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAGwAbw
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- Token: NTLM CHALLENGE MESSAGE
- NLMP: NTLM CHALLENGE MESSAGE
Signature: NTLMSSP
MessageType: Challenge Message (0x00000002)
+ TargetNameFields: Length: 16, Offset: 56
+ NegotiateFlags: 0xE2898215 (NTLM v2128-bit encryption, Always Sign)
+ ServerChallenge: A5206ACE7D62388F
Reserved: Binary Large Object (8 Bytes)
+ TargetInfoFields: Length: 146, Offset: 72
+ Version: Windows 5.2 Build 3790 NLMPv15
TargetNameString: MYLABISA
+ AvPairs: 6 pairs
Connection: Keep-Alive
ProxyConnection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
+ ContentType: text/html
ContentLength: 0
HeaderEnd: CRLF
*********************************************************************************
Then Client sends the NTLM response in frame 235 as shown below
235 10:44:37.5739850 39.6979850 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET https://bing.com/ , Using GSS-API Authorization {HTTP:24, TCP:23, IPv4:22}
Details of Frame 235
As we can see below in details section Client sends NTLMV2 challenge response NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368
Which contains client’s response i.e. Response: FBAC64C09A9A4407529C9C76A8AE4368
And client’s challenge i.e. ClientChallenge: B1F8E672B107C76F
And following
DomainNameString: MYLABISA
UserNameString: Administrator
WorkstationString: 2K8APPSVR
*********************************************************************************
Frame: Number = 235, Captured Frame Length = 1151, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]
+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15977, Total IP Length = 1137
+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=1097, Seq=2778346491 - 2778347588, Ack=2526103317, Win=32711 (scale factor 0x2) = 130844
- Http: Request, GET https://bing.com/ , Using GSS-API Authorization
Command: GET
+ URI: https://bing.com/
ProtocolVersion: HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
ProxyConnection: Keep-Alive
- ProxyAuthorization: Negotiate
- Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJQAAAAuAS4BrAAAABAAEABYAAAAGgAaAGgAAAASABIAggAAABAAEADaAQAAFYKI4gYBsB0AAAAPrn/HFsKAwKDGvdmxyjAUVU0AWQBMAEEAQgBJAFMAQQBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByADIASwA4AEEAUABQAFMAVgBSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPusZ
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- Token: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR
- NLMP: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR
Signature: NTLMSSP
MessageType: Authenticate Message (0x00000003)
+ LmChallengeResponseFields: Length: 24, Offset: 148
+ NtChallengeResponseFields: Length: 302, Offset: 172
+ DomainNameFields: Length: 16, Offset: 88
+ UserNameFields: Length: 26, Offset: 104
+ WorkstationFields: Length: 18, Offset: 130
+ EncryptedRandomSessionKeyFields: Length: 16, Offset: 474
+ NegotiateFlags: 0xE2888215 (NTLM v2128-bit encryption, Always Sign)
+ Version: Windows 6.1 Build 7600 NLMPv15
+ MessageIntegrityCheckNotPresent: AE7FC716C280C0A0C6BDD9B1CA301455
DomainNameString: MYLABISA
UserNameString: Administrator
WorkstationString: 2K8APPSVR
- LmChallengeResponseStruct: 000000000000000000000000000000000000000000000000
+ Response: 00000000000000000000000000000000
+ ChallengeFromClient: 0000000000000000
- NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368
+ Response: FBAC64C09A9A4407529C9C76A8AE4368
ResponseVersion: 1 (0x1)
HiResponseVersion: 1 (0x1)
+ Z1:
Time: 12/27/2010, 18:44:33.868391 UTC
+ ClientChallenge: B1F8E672B107C76F
+ Z2:
+ AvPairs: 9 pairs
Padding: Binary Large Object (4 Bytes)
+ SessionKeyString: D14BA57C0370405FF6710C424D53B457
Host: bing.com
HeaderEnd: CRLF
*************************************************************************************
ISA after receiving clients NTLMv2 challenge response as shown above forwards it to Domain controller to authenticate uses this challenge response and user’s domain info to authenticate the user. Refer https://msdn.microsoft.com/en-us/library/aa378749(v=vs.85).aspx
And this is the point which we will discuss more in my next post about web access performance difference using Kerberos vs NTLM
Following is acknowledgement sent by ISA for above challenge response sent by client.
236 10:44:37.7116510 39.8356510 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526103317, Ack=2778347588, Win=65535 (scale factor 0x0) = 65535 {TCP:23, IPv4:22}
Then after the user is authenticated and permitted access we see HTTP/1.1, Status: Ok
Coming from the ISA server.
609 10:45:01.7702050 63.8942050 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: https://www.bing.com/
{HTTP:24, TCP:23, IPv4:22}
***************************************************************************************************************************************
After that data is sent by the web server via ISA server to client machine as explained and shown in in my previous post about web access by web proxy client using Kerberos authentication.