Web Proxy client's web access using NTLM authentication


Web Proxy web access using NTLM authentication

Continuation of my previous post of network samples and discussion of benefits of using NTLM vs Kerberos(one more concluding post after this one much shorter J  no network trace analysis in it)

 

80           10:44:15.4937520              17.6177520          iexplore.exe      192.168.0.104     ISA01     TCP        TCP:Flags=......S., SrcPort =53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345585, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192       {TCP:23, IPv4:22}

81           10:44:15.4948310              17.6188310          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098244, Ack=2778345586, Win=16384 ( Negotiated scale factor 0x0 ) = 16384              {TCP:23, IPv4:22}

82           10:44:15.4948620              17.6188620          iexplore.exe      192.168.0.104     ISA01     TCP        TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345586, Ack=2526098245, Win=32850 (scale factor 0x2) = 131400     {TCP:23, IPv4:22}

Client sends get request after TCP handshake

83           10:44:15.4962980              17.6202980          iexplore.exe      192.168.0.104     ISA01     HTTP      HTTP:Request, GET http://bing.com/             {HTTP:24, TCP:23, IPv4:22}

ISA acknowledges it

84           10:44:15.7216400              17.8456400          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098245, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127       {TCP:23, IPv4:22}

In Frame 166 ISA sends ISA responds with 407, Proxy authentication required

166         10:44:26.6943050              28.8183050          iexplore.exe      ISA01     192.168.0.104     HTTP      HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ Using Multiple Authetication Methods, see frame details                {HTTP:24, TCP:23, IPv4:22}

Details(  ISA sends authentication methods it supports in proxyauthenticate header as shown below).

*************************************************************************************

  Frame: Number = 166, Captured Frame Length = 1514, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]

+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14356, Total IP Length = 1500

+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526098245 - 2526099705, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127

- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ Using Multiple Authetication Methods, see frame details

    ProtocolVersion: HTTP/1.1

    StatusCode: 407, Proxy authentication required

    Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )

    Via:  1.1 ISA01

  + ProxyAuthenticate: Negotiate

  + ProxyAuthenticate: Kerberos

  + ProxyAuthenticate: NTLM

    Connection:  Keep-Alive

    ProxyConnection:  Keep-Alive

    Pragma:  no-cache

    Cache-Control:  no-cache

  + ContentType:  text/html

    ContentLength:  4113 

    HeaderEnd: CRLF

  + payload: HttpContentType =  text/html

*******************************************************************************

Then acknowledgement for it is sent by client as below.

167         10:44:26.6943910              28.8183910          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127  {TCP:23, IPv4:22}

167         10:44:26.6943910              28.8183910          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127  {TCP:23, IPv4:22}

 

168         10:44:26.6944040              28.8184040          iexplore.exe      192.168.0.104     ISA01     TCP        TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526101165, Win=32850 (scale factor 0x2) = 131400     {TCP:23, IPv4:22}

169         10:44:26.6950010              28.8190010          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526101165 - 2526102625, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127  {TCP:23, IPv4:22}

170         10:44:26.6951610              28.8191610          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:[Continuation to #166]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=137, Seq=2526102625 - 2526102762, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127  {TCP:23, IPv4:22}

171         10:44:26.6951710              28.8191710          iexplore.exe      192.168.0.104     ISA01     TCP        TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400     {TCP:23, IPv4:22}

In frame 172 below we see client replying to ISA’s authentication required message

172         10:44:26.6975050              28.8215050          iexplore.exe      192.168.0.104     ISA01     HTTP      HTTP:Request, GET http://bing.com/ , Using GSS-API Authorization                {HTTP:24, TCP:23, IPv4:22}

Details of this Frame : Client informs ISA that it will use NTLMSSP for authentication as shown below         Signature: NTLMSSP

 

************************************************************************************

  Frame: Number = 172, Captured Frame Length = 551, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]

+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15976, Total IP Length = 537

+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=497, Seq=2778345994 - 2778346491, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400

- Http: Request, GET http://bing.com/ , Using GSS-API Authorization

    Command: GET

  + URI: http://bing.com/

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*

    Accept-Language:  en-US

    UserAgent:  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

    Accept-Encoding:  gzip, deflate

    ProxyConnection:  Keep-Alive

    Host:  bing.com

  - ProxyAuthorization: Negotiate

   - Authorization:  Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==

      WhiteSpace: 

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - NLMP: NTLM NEGOTIATE MESSAGE

         Signature: NTLMSSP

         MessageType: Negotiate Message (0x00000001)

       + NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)

       + DomainNameFields: Length: 0, Offset: 0

       + WorkstationFields: Length: 0, Offset: 0

       + Version: Windows 6.1 Build 7600 NLMPv15

    HeaderEnd: CRLF

*************************************************************************************

Then acknowledgement from ISA for above Frame

173         10:44:26.8779750              29.0019750          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526102762, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630       {TCP:23, IPv4:22}

Then ISA responds in frame 234 with NTLM Challenge

234         10:44:37.5729020              39.6969020          iexplore.exe      ISA01     192.168.0.104     HTTP     HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ , Using GSS-API Authentication   {HTTP:24, TCP:23, IPv4:22}

Details of Frame 234: here ISA server sends NTLM server challenge as shown below

 ServerChallenge: A5206ACE7D62388F

*************************************************************************************

  Frame: Number = 234, Captured Frame Length = 609, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]

+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14445, Total IP Length = 595

+ Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=555, Seq=2526102762 - 2526103317, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630

- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ , Using GSS-API Authentication

    ProtocolVersion: HTTP/1.1

    StatusCode: 407, Proxy authentication required

    Reason: Proxy Authentication Required ( Access is denied.  )

    Via:  1.1 ISA01

  - ProxyAuthenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAG

   - Authenticate:  Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAGwAbw

      WhiteSpace: 

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - Token: NTLM CHALLENGE MESSAGE

       - NLMP: NTLM CHALLENGE MESSAGE

          Signature: NTLMSSP

          MessageType: Challenge Message (0x00000002)

        + TargetNameFields: Length: 16, Offset: 56

        + NegotiateFlags: 0xE2898215 (NTLM v2128-bit encryption, Always Sign)

        + ServerChallenge: A5206ACE7D62388F

          Reserved: Binary Large Object (8 Bytes)

        + TargetInfoFields: Length: 146, Offset: 72

        + Version: Windows 5.2 Build 3790 NLMPv15

          TargetNameString: MYLABISA

        + AvPairs: 6 pairs

    Connection:  Keep-Alive

    ProxyConnection:  Keep-Alive

    Pragma:  no-cache

    Cache-Control:  no-cache

  + ContentType:  text/html

    ContentLength:  0    

    HeaderEnd: CRLF

*********************************************************************************

Then Client sends the NTLM response in frame 235 as shown below

235         10:44:37.5739850              39.6979850          iexplore.exe      192.168.0.104     ISA01     HTTP     HTTP:Request, GET http://bing.com/ , Using GSS-API Authorization               {HTTP:24, TCP:23, IPv4:22}

Details of Frame 235

As we can see below in details section  Client sends NTLMV2 challenge response NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368

Which contains client’s response i.e. Response: FBAC64C09A9A4407529C9C76A8AE4368

And client’s challenge i.e. ClientChallenge: B1F8E672B107C76F

And following

     DomainNameString: MYLABISA

          UserNameString: Administrator

          WorkstationString: 2K8APPSVR

 

*********************************************************************************

   Frame: Number = 235, Captured Frame Length = 1151, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]

+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15977, Total IP Length = 1137

+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=1097, Seq=2778346491 - 2778347588, Ack=2526103317, Win=32711 (scale factor 0x2) = 130844

- Http: Request, GET http://bing.com/ , Using GSS-API Authorization

    Command: GET

  + URI: http://bing.com/

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*

    Accept-Language:  en-US

    UserAgent:  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

    Accept-Encoding:  gzip, deflate

    ProxyConnection:  Keep-Alive

  - ProxyAuthorization: Negotiate

   - Authorization:  Negotiate TlRMTVNTUAADAAAAGAAYAJQAAAAuAS4BrAAAABAAEABYAAAAGgAaAGgAAAASABIAggAAABAAEADaAQAAFYKI4gYBsB0AAAAPrn/HFsKAwKDGvdmxyjAUVU0AWQBMAEEAQgBJAFMAQQBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByADIASwA4AEEAUABQAFMAVgBSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPusZ

      WhiteSpace: 

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - Token: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR

       - NLMP: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR

          Signature: NTLMSSP

          MessageType: Authenticate Message (0x00000003)

        + LmChallengeResponseFields: Length: 24, Offset: 148

        + NtChallengeResponseFields: Length: 302, Offset: 172

        + DomainNameFields: Length: 16, Offset: 88

        + UserNameFields: Length: 26, Offset: 104

        + WorkstationFields: Length: 18, Offset: 130

        + EncryptedRandomSessionKeyFields: Length: 16, Offset: 474

        + NegotiateFlags: 0xE2888215 (NTLM v2128-bit encryption, Always Sign)

        + Version: Windows 6.1 Build 7600 NLMPv15

        + MessageIntegrityCheckNotPresent: AE7FC716C280C0A0C6BDD9B1CA301455

          DomainNameString: MYLABISA

          UserNameString: Administrator

          WorkstationString: 2K8APPSVR

        - LmChallengeResponseStruct: 000000000000000000000000000000000000000000000000

         + Response: 00000000000000000000000000000000

         + ChallengeFromClient: 0000000000000000

        - NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368

         + Response: FBAC64C09A9A4407529C9C76A8AE4368

           ResponseVersion: 1 (0x1)

           HiResponseVersion: 1 (0x1)

         + Z1:

           Time: 12/27/2010, 18:44:33.868391 UTC

         + ClientChallenge: B1F8E672B107C76F

         + Z2:

         + AvPairs: 9 pairs

           Padding: Binary Large Object (4 Bytes)

        + SessionKeyString: D14BA57C0370405FF6710C424D53B457

    Host:  bing.com

    HeaderEnd: CRLF

*************************************************************************************

ISA after receiving clients NTLMv2 challenge response as shown above forwards it to Domain controller to authenticate uses this challenge response and user’s domain info to authenticate the user. Refer http://msdn.microsoft.com/en-us/library/aa378749(v=vs.85).aspx

And this is the point which we will discuss more in my next post about web access performance difference using Kerberos vs NTLM

Following is acknowledgement sent by ISA for above challenge response sent by client.

236         10:44:37.7116510              39.8356510          iexplore.exe      ISA01     192.168.0.104     TCP        TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526103317, Ack=2778347588, Win=65535 (scale factor 0x0) = 65535       {TCP:23, IPv4:22}

Then after the user is authenticated and permitted access we see  HTTP/1.1, Status: Ok

Coming from the ISA server.

609         10:45:01.7702050              63.8942050          iexplore.exe      ISA01     192.168.0.104     HTTP      HTTP:Response, HTTP/1.1, Status: Ok, URL: http://www.bing.com/ 

               {HTTP:24, TCP:23, IPv4:22}

***************************************************************************************************************************************

After that data is sent by the web server via ISA server to client machine as explained and shown in in my previous post about web access by web proxy client using Kerberos authentication.

 


Comments (2)

  1. nickty says:

    Good proxy

  2. Mr. Anonymous :) says:

    Very nice.

    Is there some way to use NLTM authentication on a glype site such as the one at http://proxime.tk/ or zelune like the one at http://proxy.darksunlight.com via PHP?

Skip to main content