Re: [twsocket] HttpSrv: implementing NTLM
On 08-Aug-05 19:08:36 Francois PIETTE wrote: >Another interesting link is this one: >http://codecentral.borland.com/Item.aspx?id=16213 >It contains code to validate usercode/password on a Windows domain. >It is a Delphi translation of the code in the article: >http://support.microsoft.com/default.aspx?scid=kb;EN-US;180548 I quickly looked at this article today. It is intersting but, if I read correctly, it need the password in clear form to work. If this is true it is useless for HttpSrv because with NTLM it will receive the password in an one way encoded form. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
Another interesting link is this one: http://codecentral.borland.com/Item.aspx?id=16213 It contains code to validate usercode/password on a Windows domain. It is a Delphi translation of the code in the article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;180548 -- [EMAIL PROTECTED] http://www.overbyte.be - Original Message - From: "Tibor Csonka" <[EMAIL PROTECTED]> To: "'ICS support mailing'" Sent: Wednesday, June 29, 2005 12:40 PM Subject: RE: [twsocket] HttpSrv: implementing NTLM > Apache itself do not support NTLM but take a look at this: > > http://modntlm.sourceforge.net/ > > it's supposed to be a module for Apache. I think they have sources also. > It > may be helpful. > > Regards > Tibor Csonka > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Maurizio Lotauro > Sent: Tuesday, June 28, 2005 4:41 AM > To: ICS support mailing > Subject: Re: [twsocket] HttpSrv: implementing NTLM > > On 23-Jun-05 07:40:28 Francois Piette wrote: > >>> As you can see the server must at least generate the Challenge when >>> speak with an ICS client, and keep it to elaborate the Message3. >>> >>> While from the client side we are "free" to set flags and fields with >>> specific values, the server should be able to hadle all possible >>> values if it must answer to a client different from ICS. > >>This client/server dialog occurs in a single TCP session handled by a > single >>TWSocket at server side. You can store anything you like n that TWSocket >>without collision with other clients. > > That's clear, but there is still the problem how to handle request > made from clients that aren't based on ICS, if they set flags and > fields with values that are different from the "fixed" one set by > THttpCli. > > In conclusion, it seems to me that implementing the NTLM in the > server will require lot of time, and at the moment I don't have so > much time. > And I don't known if it worth the effort. Maybe it would be better to > invest that time implementing a more standard authentication (client > and server) instead for a proprietary and not dodumented like NTLM. > > For example, Apache or other web servers different fom M$ are able to > accept NTLM authentication? (Not a rhetorical question, I really > don't know) > > > Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
RE: [twsocket] HttpSrv: implementing NTLM
Scrive Tibor Csonka <[EMAIL PROTECTED]>: > Apache itself do not support NTLM but take a look at this: > > http://modntlm.sourceforge.net/ > > it's supposed to be a module for Apache. I think they have sources also. It > may be helpful. I put it in my bookmarks. Thank you. Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
RE: [twsocket] HttpSrv: implementing NTLM
Apache itself do not support NTLM but take a look at this: http://modntlm.sourceforge.net/ it's supposed to be a module for Apache. I think they have sources also. It may be helpful. Regards Tibor Csonka -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Maurizio Lotauro Sent: Tuesday, June 28, 2005 4:41 AM To: ICS support mailing Subject: Re: [twsocket] HttpSrv: implementing NTLM On 23-Jun-05 07:40:28 Francois Piette wrote: >> As you can see the server must at least generate the Challenge when >> speak with an ICS client, and keep it to elaborate the Message3. >> >> While from the client side we are "free" to set flags and fields with >> specific values, the server should be able to hadle all possible >> values if it must answer to a client different from ICS. >This client/server dialog occurs in a single TCP session handled by a single >TWSocket at server side. You can store anything you like n that TWSocket >without collision with other clients. That's clear, but there is still the problem how to handle request made from clients that aren't based on ICS, if they set flags and fields with values that are different from the "fixed" one set by THttpCli. In conclusion, it seems to me that implementing the NTLM in the server will require lot of time, and at the moment I don't have so much time. And I don't known if it worth the effort. Maybe it would be better to invest that time implementing a more standard authentication (client and server) instead for a proprietary and not dodumented like NTLM. For example, Apache or other web servers different fom M$ are able to accept NTLM authentication? (Not a rhetorical question, I really don't know) Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 23-Jun-05 07:40:28 Francois Piette wrote: >> As you can see the server must at least generate the Challenge when >> speak with an ICS client, and keep it to elaborate the Message3. >> >> While from the client side we are "free" to set flags and fields with >> specific values, the server should be able to hadle all possible >> values if it must answer to a client different from ICS. >This client/server dialog occurs in a single TCP session handled by a single >TWSocket at server side. You can store anything you like n that TWSocket >without collision with other clients. That's clear, but there is still the problem how to handle request made from clients that aren't based on ICS, if they set flags and fields with values that are different from the "fixed" one set by THttpCli. In conclusion, it seems to me that implementing the NTLM in the server will require lot of time, and at the moment I don't have so much time. And I don't known if it worth the effort. Maybe it would be better to invest that time implementing a more standard authentication (client and server) instead for a proprietary and not dodumented like NTLM. For example, Apache or other web servers different fom M$ are able to accept NTLM authentication? (Not a rhetorical question, I really don't know) Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
> As you can see the server must at least generate the Challenge when > speak with an ICS client, and keep it to elaborate the Message3. > > While from the client side we are "free" to set flags and fields with > specific values, the server should be able to hadle all possible > values if it must answer to a client different from ICS. This client/server dialog occurs in a single TCP session handled by a single TWSocket at server side. You can store anything you like n that TWSocket without collision with other clients. > >There is nothing in the component. It has to be handled at the application > >level. Code has been published to show how to do it. I don't remember where > >:-( > > So it is the application that tell the component to answer with a 401 > code? Yes, it is. -- [EMAIL PROTECTED] Author of ICS (Internet Component Suite, freeware) Author of MidWare (Multi-tier framework, freeware) http://www.overbyte.be - Original Message - From: "Maurizio Lotauro" <[EMAIL PROTECTED]> To: "ICS support mailing" Sent: Wednesday, June 22, 2005 4:51 AM Subject: Re: [twsocket] HttpSrv: implementing NTLM > On 21-Jun-05 08:13:21 Francois Piette wrote: > > >> Yes, and now I partially know how the client works internally. But I > >> never worked on the source of the server, so I should first learn how > >> it works internally. > > >It's quite simple. Each client has his own TWSocket instance. This reduce the > >problem to a single user. > > Ok, but certainly a status of the authentication progress must be > introduced. Reading the source of the client: > a) the client sent a Message1, which contain some fields, most set to > a fixed value > b) the server answer with a Message2. The client will use only the > Challenge field > c) the client reply with a Message3. This is where user and password > are set. Again, some fields are set with fixed values. > > As you can see the server must at least generate the Challenge when > speak with an ICS client, and keep it to elaborate the Message3. > > While from the client side we are "free" to set flags and fields with > specific values, the server should be able to hadle all possible > values if it must answer to a client different from ICS. > > It seems to me not so easy nor quick to implement. > > >> I checked (very quickly) the code but I don't understood how it > >> handle the basic authentication. > > >There is nothing in the component. It has to be handled at the application > >level. Code has been published to show how to do it. I don't remember where > >:-( > > So it is the application that tell the component to answer with a 401 > code? > > >> Is there already a similar situation, i.e. the component exchange > >> automatically more that one request with the client? > > >That's normal HTTP 1.1 behaviour. > > I mean if the component already handle a situation where it should > keep track of the "progess" of an operation. > > >> Speaking about the NTLM, I don't know if it will be "correct" to > >> don't use the Windows domain user base. Probably it is the only > >> reason to use the NTLM instead other authentications. > > >Yes, this is one interesting point in NTLM . But also NTLM offer true > >protection agains transmitting passwords over the internet. > > That's true, but as said, I think it is not so easy to do if you want > that the server will handle the authentication from a generic client. > > If the server will handle connection only from an ICS client for a > specific application then it could use the basic authentication where > the client as password will send a MD5ed version or any other hashed > version. > > About NTLM over the internet, it has diffcult to go through proxies, > then I doubt it can be used outside an intranet. > > > Bye, Maurizio. > > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://www.elists.org/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 21-Jun-05 08:13:21 Francois Piette wrote: >> Yes, and now I partially know how the client works internally. But I >> never worked on the source of the server, so I should first learn how >> it works internally. >It's quite simple. Each client has his own TWSocket instance. This reduce the >problem to a single user. Ok, but certainly a status of the authentication progress must be introduced. Reading the source of the client: a) the client sent a Message1, which contain some fields, most set to a fixed value b) the server answer with a Message2. The client will use only the Challenge field c) the client reply with a Message3. This is where user and password are set. Again, some fields are set with fixed values. As you can see the server must at least generate the Challenge when speak with an ICS client, and keep it to elaborate the Message3. While from the client side we are "free" to set flags and fields with specific values, the server should be able to hadle all possible values if it must answer to a client different from ICS. It seems to me not so easy nor quick to implement. >> I checked (very quickly) the code but I don't understood how it >> handle the basic authentication. >There is nothing in the component. It has to be handled at the application >level. Code has been published to show how to do it. I don't remember where >:-( So it is the application that tell the component to answer with a 401 code? >> Is there already a similar situation, i.e. the component exchange >> automatically more that one request with the client? >That's normal HTTP 1.1 behaviour. I mean if the component already handle a situation where it should keep track of the "progess" of an operation. >> Speaking about the NTLM, I don't know if it will be "correct" to >> don't use the Windows domain user base. Probably it is the only >> reason to use the NTLM instead other authentications. >Yes, this is one interesting point in NTLM . But also NTLM offer true >protection agains transmitting passwords over the internet. That's true, but as said, I think it is not so easy to do if you want that the server will handle the authentication from a generic client. If the server will handle connection only from an ICS client for a specific application then it could use the basic authentication where the client as password will send a MD5ed version or any other hashed version. About NTLM over the internet, it has diffcult to go through proxies, then I doubt it can be used outside an intranet. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
> Yes, and now I partially know how the client works internally. But I > never worked on the source of the server, so I should first learn how > it works internally. It's quite simple. Each client has his own TWSocket instance. This reduce the problem to a single user. > I checked (very quickly) the code but I don't understood how it > handle the basic authentication. There is nothing in the component. It has to be handled at the application level. Code has been published to show how to do it. I don't remember where :-( > Is there already a similar situation, i.e. the component exchange > automatically more that one request with the client? That's normal HTTP 1.1 behaviour. > Speaking about the NTLM, I don't know if it will be "correct" to > don't use the Windows domain user base. Probably it is the only > reason to use the NTLM instead other authentications. Yes, this is one interesting point in NTLM . But also NTLM offer true protection agains transmitting passwords over the internet. -- [EMAIL PROTECTED] http://www.overbyte.be - Original Message - From: "Maurizio Lotauro" <[EMAIL PROTECTED]> To: "ICS support mailing" Sent: Monday, June 20, 2005 3:32 AM Subject: Re: [twsocket] HttpSrv: implementing NTLM > On 19-Jun-05 09:11:21 Francois PIETTE wrote: > > >>>Is there someone willing to implement NTLM > >>>authentication into HTTP server component ? > >> > >> If no other has offered yourself I can help you in this but only if > >> you have a documentation how to it should work. Otherwise I have no > >> idea how to start it. > > >Well, we have the client side, you participated a lot in that development. > > Yes, and now I partially know how the client works internally. But I > never worked on the source of the server, so I should first learn how > it works internally. > > >So it should not be too difficult to build the replies the server has to do. > > I think that the main problem is to handle automatically all steps of the > authentications. As said, I must first examine and understand how the > component works. > Is there already a similar situation, i.e. the component exchange > automatically more that one request with the client? > > >I don't want to peek into Windows user base, just implement the NTLM > >authentication protocol. A simple event to get the usercode/password from > >the application host the server component is enough. > > This should be true for authentication in general, not only for NTLM. > I checked (very quickly) the code but I don't understood how it > handle the basic authentication. > > Speaking about the NTLM, I don't know if it will be "correct" to > don't use the Windows domain user base. Probably it is the only > reason to use the NTLM instead other authentications. > > > Bye, Maurizio. > > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://www.elists.org/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 19-Jun-05 09:11:21 Francois PIETTE wrote: >>>Is there someone willing to implement NTLM >>>authentication into HTTP server component ? >> >> If no other has offered yourself I can help you in this but only if >> you have a documentation how to it should work. Otherwise I have no >> idea how to start it. >Well, we have the client side, you participated a lot in that development. Yes, and now I partially know how the client works internally. But I never worked on the source of the server, so I should first learn how it works internally. >So it should not be too difficult to build the replies the server has to do. I think that the main problem is to handle automatically all steps of the authentications. As said, I must first examine and understand how the component works. Is there already a similar situation, i.e. the component exchange automatically more that one request with the client? >I don't want to peek into Windows user base, just implement the NTLM >authentication protocol. A simple event to get the usercode/password from >the application host the server component is enough. This should be true for authentication in general, not only for NTLM. I checked (very quickly) the code but I don't understood how it handle the basic authentication. Speaking about the NTLM, I don't know if it will be "correct" to don't use the Windows domain user base. Probably it is the only reason to use the NTLM instead other authentications. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
Is there someone willing to implement NTLM authentication into HTTP server component ? If no other has offered yourself I can help you in this but only if you have a documentation how to it should work. Otherwise I have no idea how to start it. Well, we have the client side, you participated a lot in that development. So it should not be too difficult to build the replies the server has to do. I don't want to peek into Windows user base, just implement the NTLM authentication protocol. A simple event to get the usercode/password from the application host the server component is enough. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 11-Jun-05 14:13:41 Francois PIETTE wrote: >Is there someone willing to implement NTLM >authentication into HTTP server component ? If no other has offered yourself I can help you in this but only if you have a documentation how to it should work. Otherwise I have no idea how to start it. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] HttpSrv: implementing NTLM
Is there someone willing to implement NTLM authentication into HTTP server component ? -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
