Re: [twsocket] HttpSrv: implementing NTLM
On 08-Aug-05 19:08:36 Francois PIETTE wrote: Another interesting link is this one: http://codecentral.borland.com/Item.aspx?id=16213 It contains code to validate usercode/password on a Windows domain. It is a Delphi translation of the code in the article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;180548 I quickly looked at this article today. It is intersting but, if I read correctly, it need the password in clear form to work. If this is true it is useless for HttpSrv because with NTLM it will receive the password in an one way encoded form. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 23-Jun-05 07:40:28 Francois Piette wrote: As you can see the server must at least generate the Challenge when speak with an ICS client, and keep it to elaborate the Message3. While from the client side we are free to set flags and fields with specific values, the server should be able to hadle all possible values if it must answer to a client different from ICS. This client/server dialog occurs in a single TCP session handled by a single TWSocket at server side. You can store anything you like n that TWSocket without collision with other clients. That's clear, but there is still the problem how to handle request made from clients that aren't based on ICS, if they set flags and fields with values that are different from the fixed one set by THttpCli. In conclusion, it seems to me that implementing the NTLM in the server will require lot of time, and at the moment I don't have so much time. And I don't known if it worth the effort. Maybe it would be better to invest that time implementing a more standard authentication (client and server) instead for a proprietary and not dodumented like NTLM. For example, Apache or other web servers different fom M$ are able to accept NTLM authentication? (Not a rhetorical question, I really don't know) Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
As you can see the server must at least generate the Challenge when speak with an ICS client, and keep it to elaborate the Message3. While from the client side we are free to set flags and fields with specific values, the server should be able to hadle all possible values if it must answer to a client different from ICS. This client/server dialog occurs in a single TCP session handled by a single TWSocket at server side. You can store anything you like n that TWSocket without collision with other clients. There is nothing in the component. It has to be handled at the application level. Code has been published to show how to do it. I don't remember where :-( So it is the application that tell the component to answer with a 401 code? Yes, it is. -- [EMAIL PROTECTED] Author of ICS (Internet Component Suite, freeware) Author of MidWare (Multi-tier framework, freeware) http://www.overbyte.be - Original Message - From: Maurizio Lotauro [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Wednesday, June 22, 2005 4:51 AM Subject: Re: [twsocket] HttpSrv: implementing NTLM On 21-Jun-05 08:13:21 Francois Piette wrote: Yes, and now I partially know how the client works internally. But I never worked on the source of the server, so I should first learn how it works internally. It's quite simple. Each client has his own TWSocket instance. This reduce the problem to a single user. Ok, but certainly a status of the authentication progress must be introduced. Reading the source of the client: a) the client sent a Message1, which contain some fields, most set to a fixed value b) the server answer with a Message2. The client will use only the Challenge field c) the client reply with a Message3. This is where user and password are set. Again, some fields are set with fixed values. As you can see the server must at least generate the Challenge when speak with an ICS client, and keep it to elaborate the Message3. While from the client side we are free to set flags and fields with specific values, the server should be able to hadle all possible values if it must answer to a client different from ICS. It seems to me not so easy nor quick to implement. I checked (very quickly) the code but I don't understood how it handle the basic authentication. There is nothing in the component. It has to be handled at the application level. Code has been published to show how to do it. I don't remember where :-( So it is the application that tell the component to answer with a 401 code? Is there already a similar situation, i.e. the component exchange automatically more that one request with the client? That's normal HTTP 1.1 behaviour. I mean if the component already handle a situation where it should keep track of the progess of an operation. Speaking about the NTLM, I don't know if it will be correct to don't use the Windows domain user base. Probably it is the only reason to use the NTLM instead other authentications. Yes, this is one interesting point in NTLM . But also NTLM offer true protection agains transmitting passwords over the internet. That's true, but as said, I think it is not so easy to do if you want that the server will handle the authentication from a generic client. If the server will handle connection only from an ICS client for a specific application then it could use the basic authentication where the client as password will send a MD5ed version or any other hashed version. About NTLM over the internet, it has diffcult to go through proxies, then I doubt it can be used outside an intranet. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 21-Jun-05 08:13:21 Francois Piette wrote: Yes, and now I partially know how the client works internally. But I never worked on the source of the server, so I should first learn how it works internally. It's quite simple. Each client has his own TWSocket instance. This reduce the problem to a single user. Ok, but certainly a status of the authentication progress must be introduced. Reading the source of the client: a) the client sent a Message1, which contain some fields, most set to a fixed value b) the server answer with a Message2. The client will use only the Challenge field c) the client reply with a Message3. This is where user and password are set. Again, some fields are set with fixed values. As you can see the server must at least generate the Challenge when speak with an ICS client, and keep it to elaborate the Message3. While from the client side we are free to set flags and fields with specific values, the server should be able to hadle all possible values if it must answer to a client different from ICS. It seems to me not so easy nor quick to implement. I checked (very quickly) the code but I don't understood how it handle the basic authentication. There is nothing in the component. It has to be handled at the application level. Code has been published to show how to do it. I don't remember where :-( So it is the application that tell the component to answer with a 401 code? Is there already a similar situation, i.e. the component exchange automatically more that one request with the client? That's normal HTTP 1.1 behaviour. I mean if the component already handle a situation where it should keep track of the progess of an operation. Speaking about the NTLM, I don't know if it will be correct to don't use the Windows domain user base. Probably it is the only reason to use the NTLM instead other authentications. Yes, this is one interesting point in NTLM . But also NTLM offer true protection agains transmitting passwords over the internet. That's true, but as said, I think it is not so easy to do if you want that the server will handle the authentication from a generic client. If the server will handle connection only from an ICS client for a specific application then it could use the basic authentication where the client as password will send a MD5ed version or any other hashed version. About NTLM over the internet, it has diffcult to go through proxies, then I doubt it can be used outside an intranet. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
Yes, and now I partially know how the client works internally. But I never worked on the source of the server, so I should first learn how it works internally. It's quite simple. Each client has his own TWSocket instance. This reduce the problem to a single user. I checked (very quickly) the code but I don't understood how it handle the basic authentication. There is nothing in the component. It has to be handled at the application level. Code has been published to show how to do it. I don't remember where :-( Is there already a similar situation, i.e. the component exchange automatically more that one request with the client? That's normal HTTP 1.1 behaviour. Speaking about the NTLM, I don't know if it will be correct to don't use the Windows domain user base. Probably it is the only reason to use the NTLM instead other authentications. Yes, this is one interesting point in NTLM . But also NTLM offer true protection agains transmitting passwords over the internet. -- [EMAIL PROTECTED] http://www.overbyte.be - Original Message - From: Maurizio Lotauro [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Monday, June 20, 2005 3:32 AM Subject: Re: [twsocket] HttpSrv: implementing NTLM On 19-Jun-05 09:11:21 Francois PIETTE wrote: Is there someone willing to implement NTLM authentication into HTTP server component ? If no other has offered yourself I can help you in this but only if you have a documentation how to it should work. Otherwise I have no idea how to start it. Well, we have the client side, you participated a lot in that development. Yes, and now I partially know how the client works internally. But I never worked on the source of the server, so I should first learn how it works internally. So it should not be too difficult to build the replies the server has to do. I think that the main problem is to handle automatically all steps of the authentications. As said, I must first examine and understand how the component works. Is there already a similar situation, i.e. the component exchange automatically more that one request with the client? I don't want to peek into Windows user base, just implement the NTLM authentication protocol. A simple event to get the usercode/password from the application host the server component is enough. This should be true for authentication in general, not only for NTLM. I checked (very quickly) the code but I don't understood how it handle the basic authentication. Speaking about the NTLM, I don't know if it will be correct to don't use the Windows domain user base. Probably it is the only reason to use the NTLM instead other authentications. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
Is there someone willing to implement NTLM authentication into HTTP server component ? If no other has offered yourself I can help you in this but only if you have a documentation how to it should work. Otherwise I have no idea how to start it. Well, we have the client side, you participated a lot in that development. So it should not be too difficult to build the replies the server has to do. I don't want to peek into Windows user base, just implement the NTLM authentication protocol. A simple event to get the usercode/password from the application host the server component is enough. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HttpSrv: implementing NTLM
On 11-Jun-05 14:13:41 Francois PIETTE wrote: Is there someone willing to implement NTLM authentication into HTTP server component ? If no other has offered yourself I can help you in this but only if you have a documentation how to it should work. Otherwise I have no idea how to start it. Bye, Maurizio. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
