Web Proxy client's web access using NTLM authentication

Web Proxy web access using NTLM authentication

Continuation of my previous post of network samples and discussion of benefits of using NTLM vs Kerberos(one more concluding post after this one much shorter J no network trace analysis in it)

80 10:44:15.4937520 17.6177520 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=......S., SrcPort =53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345585, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:23, IPv4:22}

81 10:44:15.4948310 17.6188310 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098244, Ack=2778345586, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 {TCP:23, IPv4:22}

82 10:44:15.4948620 17.6188620 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345586, Ack=2526098245, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}

Client sends get request after TCP handshake

83 10:44:15.4962980 17.6202980 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET https://bing.com/ {HTTP:24, TCP:23, IPv4:22}

ISA acknowledges it

84 10:44:15.7216400 17.8456400 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098245, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}

In Frame 166 ISA sends ISA responds with 407, Proxy authentication required

166 10:44:26.6943050 28.8183050 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ Using Multiple Authetication Methods, see frame details {HTTP:24, TCP:23, IPv4:22}

Details( ISA sends authentication methods it supports in proxyauthenticate header as shown below).

*************************************************************************************

  Frame: Number = 166, Captured Frame Length = 1514, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]

+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14356, Total IP Length = 1500

+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526098245 - 2526099705, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127

- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ Using Multiple Authetication Methods, see frame details

    ProtocolVersion: HTTP/1.1

    StatusCode: 407, Proxy authentication required

    Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )

    Via: 1.1 ISA01

  + ProxyAuthenticate: Negotiate

  + ProxyAuthenticate: Kerberos

  + ProxyAuthenticate: NTLM

    Connection: Keep-Alive

    ProxyConnection: Keep-Alive

    Pragma: no-cache

    Cache-Control: no-cache

  + ContentType: text/html

    ContentLength: 4113

    HeaderEnd: CRLF

  + payload: HttpContentType = text/html

*******************************************************************************

Then acknowledgement for it is sent by client as below.

167 10:44:26.6943910 28.8183910 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}

167 10:44:26.6943910 28.8183910 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}

168 10:44:26.6944040 28.8184040 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526101165, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}

169 10:44:26.6950010 28.8190010 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526101165 - 2526102625, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}

170 10:44:26.6951610 28.8191610 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=137, Seq=2526102625 - 2526102762, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}

171 10:44:26.6951710 28.8191710 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}

In frame 172 below we see client replying to ISA’s authentication required message

172 10:44:26.6975050 28.8215050 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET https://bing.com/ , Using GSS-API Authorization {HTTP:24, TCP:23, IPv4:22}

Details of this Frame : Client informs ISA that it will use NTLMSSP for authentication as shown below Signature: NTLMSSP

************************************************************************************

Frame: Number = 172, Captured Frame Length = 551, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]

+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15976, Total IP Length = 537

+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=497, Seq=2778345994 - 2778346491, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400

- Http: Request, GET https://bing.com/ , Using GSS-API Authorization

    Command: GET

  + URI: https://bing.com/

    ProtocolVersion: HTTP/1.1

    Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*

    Accept-Language: en-US

    UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

    Accept-Encoding: gzip, deflate

    ProxyConnection: Keep-Alive

    Host: bing.com

  - ProxyAuthorization: Negotiate

   - Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==

      WhiteSpace:

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - NLMP: NTLM NEGOTIATE MESSAGE

         Signature: NTLMSSP

         MessageType: Negotiate Message (0x00000001)

       + NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)

       + DomainNameFields: Length: 0, Offset: 0

       + WorkstationFields: Length: 0, Offset: 0

       + Version: Windows 6.1 Build 7600 NLMPv15

    HeaderEnd: CRLF

*************************************************************************************

Then acknowledgement from ISA for above Frame

173 10:44:26.8779750 29.0019750 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526102762, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630 {TCP:23, IPv4:22}

Then ISA responds in frame 234 with NTLM Challenge

234 10:44:37.5729020 39.6969020 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ , Using GSS-API Authentication {HTTP:24, TCP:23, IPv4:22}

Details of Frame 234: here ISA server sends NTLM server challenge as shown below

 ServerChallenge: A5206ACE7D62388F

*************************************************************************************

  Frame: Number = 234, Captured Frame Length = 609, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]

+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14445, Total IP Length = 595

+ Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=555, Seq=2526102762 - 2526103317, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630

- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: https://bing.com/ , Using GSS-API Authentication

    ProtocolVersion: HTTP/1.1

    StatusCode: 407, Proxy authentication required

    Reason: Proxy Authentication Required ( Access is denied. )

    Via: 1.1 ISA01

  - ProxyAuthenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAG

   - Authenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAGwAbw

      WhiteSpace:

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - Token: NTLM CHALLENGE MESSAGE

       - NLMP: NTLM CHALLENGE MESSAGE

          Signature: NTLMSSP

          MessageType: Challenge Message (0x00000002)

        + TargetNameFields: Length: 16, Offset: 56

        + NegotiateFlags: 0xE2898215 (NTLM v2128-bit encryption, Always Sign)

        + ServerChallenge: A5206ACE7D62388F

          Reserved: Binary Large Object (8 Bytes)

        + TargetInfoFields: Length: 146, Offset: 72

        + Version: Windows 5.2 Build 3790 NLMPv15

          TargetNameString: MYLABISA

        + AvPairs: 6 pairs

    Connection: Keep-Alive

    ProxyConnection: Keep-Alive

    Pragma: no-cache

    Cache-Control: no-cache

  + ContentType: text/html

    ContentLength: 0

    HeaderEnd: CRLF

*********************************************************************************

Then Client sends the NTLM response in frame 235 as shown below

235 10:44:37.5739850 39.6979850 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET https://bing.com/ , Using GSS-API Authorization {HTTP:24, TCP:23, IPv4:22}

Details of Frame 235

As we can see below in details section Client sends NTLMV2 challenge response NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368

Which contains client’s response i.e. Response: FBAC64C09A9A4407529C9C76A8AE4368

And client’s challenge i.e. ClientChallenge: B1F8E672B107C76F

And following

     DomainNameString: MYLABISA

          UserNameString: Administrator

          WorkstationString: 2K8APPSVR

*********************************************************************************

   Frame: Number = 235, Captured Frame Length = 1151, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]

+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15977, Total IP Length = 1137

+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=1097, Seq=2778346491 - 2778347588, Ack=2526103317, Win=32711 (scale factor 0x2) = 130844

- Http: Request, GET https://bing.com/ , Using GSS-API Authorization

    Command: GET

  + URI: https://bing.com/

    ProtocolVersion: HTTP/1.1

    Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*

    Accept-Language: en-US

    UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)

    Accept-Encoding: gzip, deflate

    ProxyConnection: Keep-Alive

  - ProxyAuthorization: Negotiate

   - Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJQAAAAuAS4BrAAAABAAEABYAAAAGgAaAGgAAAASABIAggAAABAAEADaAQAAFYKI4gYBsB0AAAAPrn/HFsKAwKDGvdmxyjAUVU0AWQBMAEEAQgBJAFMAQQBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByADIASwA4AEEAUABQAFMAVgBSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPusZ

      WhiteSpace:

    - NegotiateAuthorization:

       Scheme: Negotiate

     - GssAPI: 0x1

      - Token: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR

       - NLMP: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR

          Signature: NTLMSSP

          MessageType: Authenticate Message (0x00000003)

        + LmChallengeResponseFields: Length: 24, Offset: 148

        + NtChallengeResponseFields: Length: 302, Offset: 172

        + DomainNameFields: Length: 16, Offset: 88

        + UserNameFields: Length: 26, Offset: 104

        + WorkstationFields: Length: 18, Offset: 130

        + EncryptedRandomSessionKeyFields: Length: 16, Offset: 474

        + NegotiateFlags: 0xE2888215 (NTLM v2128-bit encryption, Always Sign)

        + Version: Windows 6.1 Build 7600 NLMPv15

      + MessageIntegrityCheckNotPresent: AE7FC716C280C0A0C6BDD9B1CA301455

          DomainNameString: MYLABISA

          UserNameString: Administrator

          WorkstationString: 2K8APPSVR

        - LmChallengeResponseStruct: 000000000000000000000000000000000000000000000000

         + Response: 00000000000000000000000000000000

         + ChallengeFromClient: 0000000000000000

        - NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368

         + Response: FBAC64C09A9A4407529C9C76A8AE4368

           ResponseVersion: 1 (0x1)

           HiResponseVersion: 1 (0x1)

         + Z1:

           Time: 12/27/2010, 18:44:33.868391 UTC

         + ClientChallenge: B1F8E672B107C76F

         + Z2:

         + AvPairs: 9 pairs

           Padding: Binary Large Object (4 Bytes)

        + SessionKeyString: D14BA57C0370405FF6710C424D53B457

    Host: bing.com

    HeaderEnd: CRLF

*************************************************************************************

ISA after receiving clients NTLMv2 challenge response as shown above forwards it to Domain controller to authenticate uses this challenge response and user’s domain info to authenticate the user. Refer https://msdn.microsoft.com/en-us/library/aa378749(v=vs.85).aspx

And this is the point which we will discuss more in my next post about web access performance difference using Kerberos vs NTLM

Following is acknowledgement sent by ISA for above challenge response sent by client.

236 10:44:37.7116510 39.8356510 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526103317, Ack=2778347588, Win=65535 (scale factor 0x0) = 65535 {TCP:23, IPv4:22}

Then after the user is authenticated and permitted access we see HTTP/1.1, Status: Ok

Coming from the ISA server.

609 10:45:01.7702050 63.8942050 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: https://www.bing.com/ 

               {HTTP:24, TCP:23, IPv4:22}

***************************************************************************************************************************************

After that data is sent by the web server via ISA server to client machine as explained and shown in in my previous post about web access by web proxy client using Kerberos authentication.

Comments

  • Anonymous
    May 26, 2011
    Good proxy

  • Anonymous
    December 26, 2011
    Very nice. Is there some way to use NLTM authentication on a glype site such as the one at http://proxime.tk/ or zelune like the one at http://proxy.darksunlight.com via PHP?