Search squid archive

Re: https analyze, squid rpc proxy to rpc proxy ii6 exchange2007 with ntlm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

[please remember to start your own new thread with new topics.
I only spotted this because I was answering David]

On 3/03/2012 2:33 a.m., Clem wrote:

If I go to https://www.owasp.org/index.php/Authentication_In_IIS or
http://www.innovation.ch/personal/ronald/ntlm.html

NTLM Handshake

When a client needs to authenticate itself to a proxy or server using the
NTLM scheme then the following 4-way handshake takes place (only parts of
the request and status line and the relevant headers are shown here; "C" is
the client, "S" the server):

     1: C  -->  S   GET ...

     2: C<--  S   401 Unauthorized
                   WWW-Authenticate: NTLM

     3: C  -->  S   GET ...
                   Authorization: NTLM<base64-encoded type-1-message>

     4: C<--  S   401 Unauthorized
                   WWW-Authenticate: NTLM<base64-encoded type-2-message>

     5: C  -->  S   GET ...
                   Authorization: NTLM<base64-encoded type-3-message>

     6: C<--  S   200 Ok


I can see there us 3 auth/authorization before le 200 OK, squid seems to
send only 1 and stop


You have described well what the proper NTLM handshake sequence is.
You need to look at the Connection: keep-alive/close values and HTTP version numbers coming into Squid from the client, then going from Squid to the server, and the response flow as well coming back from server to Squid then Squid to client. 


-----Message d'origine-----
De : Clem

Hello,

What I can see :

........ USER with outlook PROXY RPC enabled with NTLM auth ->  PROXY RPC
IIS6/Exchange 2007

Outlook sends credentials, the proxy handles them and open exchange mailbox.

........ USER with outlook PROXY RPC enabled with NTLM auth ->  SQUID PROXY
->  PROXY RPC IIS6/Exchange 2007

The user sends credentials via squid, squid can't forward them exactly to
the Exchange/IIS6 RPC Proxy and the proxy denies


In the https analyzer I can see the NTLM request header is very short when
we use squid and when we don't use it this header is very long ...

Like this

NTLM
TlRMTVNTUAADAAAAGAAYAJgAAABkAWQBsAAAABoAGgBYAAAAEAAQAHIAAAAWABYAggAAAAAAAAAU
AgAABYKIogYBsR0AAAAPOq4/lcuCWEXBWP01xOfE7UUAVQBSAE8AUwBJAFQATgBFAFYARQBSAFMA
YQAuAHcAYQBxAHUAZQB0AEEALQBXAEEAUQBVAEUAVAAtAEgAUAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA4lx3+SYlVeSBpzbj9B93OAQEAAAAAAABuLvLQdfjMAYEqGS4sEy38AAAAAAIAGgBFAFUA
UgBPAFMASQBUAE4ARQBWAEUAUgBTAAEAFgBFAFUAUgBPAFMASQBUAE0AQQBJAEwABAAgAGUAdQBy
AG8AcwBpAHQAbgBlAHYAZQByAHMALgBmAHIAAwA4AGUAdQByAG8AcwBpAHQAbQBhAGkAbAAuAGUA
dQByAG8AcwBpAHQAbgBlAHYAZQByAHMALgBmAHIABQAgAGUAdQByA[.....]


This is a NTLM type-3 message.

Step (5) in the sequence up top.



For direct connection

And whith squid :

NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==


This is a NTLM type-1 message.

Step (3) in the sequence up top.
You can paste the NTLM header blob into this tool to see the packet structure inside it. 
http://tomeko.net/online_tools/base64.php

NTLM packets start with "NTLMSSP" 0x00 <type> 0x00 0x00 0x00 ...

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux