Re: [twsocket] NTLM authentication reloaded
That is what I ment also. Now the question is that should or should not ICS allow other separators than backslash? And the second question that on the proxy authentication part should we use the same technique? Personally I didn't saw usernames like [EMAIL PROTECTED] until now in windows. Paul, can you give me examples, where you can configure Proxy/Web server with NTLM in the way you pointed out? Francois PIETTE wrote: It seemes to me that you have the same problem as me. Try to separe the user and the domain. If it works let me know so I can patch the proxy part of NTLM auth too. Without domain the user will not be authenticated, I tried. I think you are right. Since NtlmGetMessage3 has provision for domain name, it should be put there and not embed it into the username. Embedding domain in username is just a convenient way of doing it for the application user interface. At the lowest level, in the NTLM messages, domain should be written where it belongs to. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Personally I didn't saw usernames like [EMAIL PROTECTED] until now in windows. Paul, can you give me examples, where you can configure Proxy/Web server with NTLM in the way you pointed out? You won't find this strange format in M$ proxies, but there lots of proxies available. The ones that requires [EMAIL PROTECTED] are mostly used with ftp The only way it seems to work everywhere is as I decribed in previous messages because there are proxies that act different between their users also. Since I haven't found a way to detect how they make that difference, I test all situations and pick the one that works. Paul - Original Message - From: Tibor Csonka [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Friday, January 20, 2006 11:18 AM Subject: Re: [twsocket] NTLM authentication reloaded That is what I ment also. Now the question is that should or should not ICS allow other separators than backslash? And the second question that on the proxy authentication part should we use the same technique? Personally I didn't saw usernames like [EMAIL PROTECTED] until now in windows. Paul, can you give me examples, where you can configure Proxy/Web server with NTLM in the way you pointed out? Francois PIETTE wrote: It seemes to me that you have the same problem as me. Try to separe the user and the domain. If it works let me know so I can patch the proxy part of NTLM auth too. Without domain the user will not be authenticated, I tried. I think you are right. Since NtlmGetMessage3 has provision for domain name, it should be put there and not embed it into the username. Embedding domain in username is just a convenient way of doing it for the application user interface. At the lowest level, in the NTLM messages, domain should be written where it belongs to. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Should ICS be responsible for domain/user parsing out of a single property or should a new property with domain added ? I think not, unless the component itself test for the combination that works. PAul - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Friday, January 20, 2006 12:04 PM Subject: Re: [twsocket] NTLM authentication reloaded That is what I ment also. Now the question is that should or should not ICS allow other separators than backslash? Should ICS be responsible for domain/user parsing out of a single property or should a new property with domain added ? And the second question that on the proxy authentication part should we use the same technique? I think so altough I have nothing to test. -- Contribute to the SSL Effort. Visit http://www.overbyte.be/eng/ssl.html -- [EMAIL PROTECTED] http://www.overbyte.be - Original Message - From: Tibor Csonka [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Friday, January 20, 2006 11:18 AM Subject: Re: [twsocket] NTLM authentication reloaded That is what I ment also. Now the question is that should or should not ICS allow other separators than backslash? And the second question that on the proxy authentication part should we use the same technique? Personally I didn't saw usernames like [EMAIL PROTECTED] until now in windows. Paul, can you give me examples, where you can configure Proxy/Web server with NTLM in the way you pointed out? Francois PIETTE wrote: It seemes to me that you have the same problem as me. Try to separe the user and the domain. If it works let me know so I can patch the proxy part of NTLM auth too. Without domain the user will not be authenticated, I tried. I think you are right. Since NtlmGetMessage3 has provision for domain name, it should be put there and not embed it into the username. Embedding domain in username is just a convenient way of doing it for the application user interface. At the lowest level, in the NTLM messages, domain should be written where it belongs to. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Anyway the user tweaks like this separation character should not be the concern of ICS but of the application with the functionality. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Paul, can you give me examples, where you can configure Proxy/Web server with NTLM in the way you pointed out? You won't find this strange format in M$ proxies, but there lots of proxies available. The ones that requires [EMAIL PROTECTED] are mostly used with ftp Yes, but those are not NTLM proxies imo. They are just transparent FTP proxies. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Should ICS be responsible for domain/user parsing out of a single property or should a new property with domain added ? I can see your point here. For me is more simpler for now to leave it like that, but I think ICS _should not_ handle the separation; it is much better to expose separate properties. However, regardless of how you implement this, ICS documentation or example code should include all the possible separators to make newbies lives easier :). If we don't create a new property for domain, we have to provide a new property for delimiter. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
I would like to correct the bug report I posted before: There is no way to set domain for NTLM authentication neither for web server or proxy in ICS HttpProt. A mechanism should be included in the future releases. A new property for the domain can be added for proxy auth and separatelly for web auth or a property in which users can set the domain name separator this can be one for each of the authentication part, because it's mainly depends on the implementor application's user inteface. Best regards, Tibor Csonka -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Yes, but those are not NTLM proxies imo. They are just transparent FTP proxies. I have run into problems with Http NTLM proxies Paul - Original Message - From: Francois PIETTE [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Friday, January 20, 2006 12:51 PM Subject: Re: [twsocket] NTLM authentication reloaded Paul, can you give me examples, where you can configure Proxy/Web server with NTLM in the way you pointed out? You won't find this strange format in M$ proxies, but there lots of proxies available. The ones that requires [EMAIL PROTECTED] are mostly used with ftp Yes, but those are not NTLM proxies imo. They are just transparent FTP proxies. -- [EMAIL PROTECTED] http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Scrive Tibor Csonka [EMAIL PROTECTED]: [...] You have a similar situation with IIS? I mean, if you don't include the domain you will be authenticated? It seemes to me that you have the same problem as me. Try to separe the user and the domain. If it works let me know so I can patch the proxy part of NTLM auth too. I'm sorry but at the moment I can't do this test. Without domain the user will not be authenticated, I tried. But I am not in controll of the server so maybe from another location users may possibli can authenticate themselves without domain. Maybe the situation is that if no domain is specified then the server use a dafault one. But this is only an hypotesys. I looked in Firefox NTLM code and it seemes that they do the same (separate the user and the domain). This is very interesting. Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Scrive Paul [EMAIL PROTECTED]: You can't know what the proxy wants, so you have to test all possible situations and pick the one that works As Maurizio said, some users have to add the domain and some not (on the same proxy!) Is it possible for you to test with proxy that need [EMAIL PROTECTED] if sending domain and password separate in the Msg3 then it works or not? Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Scrive Francois PIETTE [EMAIL PROTECTED]: That is what I ment also. Now the question is that should or should not ICS allow other separators than backslash? Should ICS be responsible for domain/user parsing out of a single property or should a new property with domain added ? I suggest to do so. Separate domain and user and try to authenticate under the various situations where different format are needed, i.e. Username, Domain\Username and [EMAIL PROTECTED] If it works in every situation then we should decide which format use (for example Domain\Username as I see in Windows logon) and then it is the application that must set the Username property accordinly. Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Scrive Tibor Csonka [EMAIL PROTECTED]: I would like to correct the bug report I posted before: [...] A new property for the domain can be added for proxy auth and separatelly for web auth or a property in which users can set the domain name separator this can be one for each of the authentication part, because it's mainly depends on the implementor application's user inteface. As I sayd, I suggest to wait to add new properties until we checked that if we separate domain and username solve all NTLM authentication problems. Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Scrive Arno Garrels [EMAIL PROTECTED]: [...] I think they arn't so smart, but just calling LogOnUser() note that [EMAIL PROTECTED] valid, not only for FTP-proxies. I don't think that the server use LogOnUser to authenticate the request because with NTLM it will not receive the password in plain text. Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Maurizio Lotauro wrote: Scrive Arno Garrels [EMAIL PROTECTED]: [...] I think they arn't so smart, but just calling LogOnUser() note that [EMAIL PROTECTED] valid, not only for FTP-proxies. I don't think that the server use LogOnUser to authenticate the request because with NTLM it will not receive the password in plain text. Yes you are right, it's the hashed password only. However it appears that problems due to the missing Domain-property described in this thread become clear if you read the LogonUser() docu. Does anybody know how a server/proxy checks a NTLM logon attempt against Windows-users? Arno Garrels Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] NTLM authentication reloaded
Hello list, I've just ran into a small bug in NTLM authentication from HttpCli. There is a possibility that the user enters the username as domain\username. In this case HttpCli will send the username and the domain as the username, wich is not working (at least on IIS 6). The code looks like this: Result := NtlmGetMessage3('', Hostname, FUsername, FPassword, FNTLMMsg2Info.Challenge); where NtlmGetMessage3 is defined as: function NtlmGetMessage3(const ADomain, AHost, AUser, APassword: String; AChallenge: TArrayOf8Bytes): String; This function will generate the last NTLM message containing the authentication information. The call, as you can see set the domain to empty string in all cases but if the user supplies the usernames in the manner I've mentioned before this is not correct. A fast dirty fix which I made is: DomPos := Pos('\', FUsername); if DomPos0 then begin Dom := Copy(FUsername, 1, DomPos-1); UName := Copy(FUsername, DomPos + 1, Length(FUsername)-DomPos); end else begin Dom := ''; UName := FUsername; end; Result := NtlmGetMessage3(Dom, Hostname, UName, FPassword, FNTLMMsg2Info.Challenge); I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? Best regards, Tibor Csonka -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? There are several ways a proxy auth is requested, it depends on the proxy settings and/or domain or even a workgroup. - username - domain\username - [EMAIL PROTECTED] You should try them all yourself and select the one that works Paul - Original Message - From: Tibor Csonka [EMAIL PROTECTED] To: twsocket@elists.org Sent: Thursday, January 19, 2006 5:32 PM Subject: [twsocket] NTLM authentication reloaded Hello list, I've just ran into a small bug in NTLM authentication from HttpCli. There is a possibility that the user enters the username as domain\username. In this case HttpCli will send the username and the domain as the username, wich is not working (at least on IIS 6). The code looks like this: Result := NtlmGetMessage3('', Hostname, FUsername, FPassword, FNTLMMsg2Info.Challenge); where NtlmGetMessage3 is defined as: function NtlmGetMessage3(const ADomain, AHost, AUser, APassword: String; AChallenge: TArrayOf8Bytes): String; This function will generate the last NTLM message containing the authentication information. The call, as you can see set the domain to empty string in all cases but if the user supplies the usernames in the manner I've mentioned before this is not correct. A fast dirty fix which I made is: DomPos := Pos('\', FUsername); if DomPos0 then begin Dom := Copy(FUsername, 1, DomPos-1); UName := Copy(FUsername, DomPos + 1, Length(FUsername)-DomPos); end else begin Dom := ''; UName := FUsername; end; Result := NtlmGetMessage3(Dom, Hostname, UName, FPassword, FNTLMMsg2Info.Challenge); I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? Best regards, Tibor Csonka -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
I don't have a specific case where it isn't working. I was trying to fix things and I thought that someone knows how proxies/http servers are accecpting NTLM credentials. Paul wrote: I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? There are several ways a proxy auth is requested, it depends on the proxy settings and/or domain or even a workgroup. - username - domain\username - [EMAIL PROTECTED] You should try them all yourself and select the one that works Paul - Original Message - From: Tibor Csonka [EMAIL PROTECTED] To: twsocket@elists.org Sent: Thursday, January 19, 2006 5:32 PM Subject: [twsocket] NTLM authentication reloaded Hello list, I've just ran into a small bug in NTLM authentication from HttpCli. There is a possibility that the user enters the username as domain\username. In this case HttpCli will send the username and the domain as the username, wich is not working (at least on IIS 6). The code looks like this: Result := NtlmGetMessage3('', Hostname, FUsername, FPassword, FNTLMMsg2Info.Challenge); where NtlmGetMessage3 is defined as: function NtlmGetMessage3(const ADomain, AHost, AUser, APassword: String; AChallenge: TArrayOf8Bytes): String; This function will generate the last NTLM message containing the authentication information. The call, as you can see set the domain to empty string in all cases but if the user supplies the usernames in the manner I've mentioned before this is not correct. A fast dirty fix which I made is: DomPos := Pos('\', FUsername); if DomPos0 then begin Dom := Copy(FUsername, 1, DomPos-1); UName := Copy(FUsername, DomPos + 1, Length(FUsername)-DomPos); end else begin Dom := ''; UName := FUsername; end; Result := NtlmGetMessage3(Dom, Hostname, UName, FPassword, FNTLMMsg2Info.Challenge); I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? Best regards, Tibor Csonka -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Scrive Tibor Csonka [EMAIL PROTECTED]: Hello list, I've just ran into a small bug in NTLM authentication from HttpCli. There is a possibility that the user enters the username as domain\username. In this case HttpCli will send the username and the domain as the username, wich is not working (at least on IIS 6). [...] The call, as you can see set the domain to empty string in all cases but if the user supplies the usernames in the manner I've mentioned before this is not correct. [...] I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? I have a strange situation. A customer use ISA server for proxy and has enabled the NTLM authentication. To authenticate some user must include the domain (domain\username) and some other user must not include it (I mean, if they include the domain they will not authenticated). I don't have investigated what is the difference between these users. You have a similar situation with IIS? I mean, if you don't include the domain you will be authenticated? Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] NTLM authentication reloaded
Maybe we should include the '@' also as separator. Paul wrote: Maurizio, different users can have different rights also. The only way I found sofar is detect a domain yourself and try all possible authentications possible and pick the one that succeeds. So if the user is in a domain, then try logon with username domain\username [EMAIL PROTECTED] Paul - Original Message - From: Maurizio Lotauro [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Friday, January 20, 2006 1:47 AM Subject: Re: [twsocket] NTLM authentication reloaded Scrive Tibor Csonka [EMAIL PROTECTED]: Hello list, I've just ran into a small bug in NTLM authentication from HttpCli. There is a possibility that the user enters the username as domain\username. In this case HttpCli will send the username and the domain as the username, wich is not working (at least on IIS 6). [...] The call, as you can see set the domain to empty string in all cases but if the user supplies the usernames in the manner I've mentioned before this is not correct. [...] I did this in the HTTP authentication part not in the proxy. Can somebody confirm that in case of NTLM proxies, should work the same way? I have a strange situation. A customer use ISA server for proxy and has enabled the NTLM authentication. To authenticate some user must include the domain (domain\username) and some other user must not include it (I mean, if they include the domain they will not authenticated). I don't have investigated what is the difference between these users. You have a similar situation with IIS? I mean, if you don't include the domain you will be authenticated? Bye, Maurizio. This mail has been sent using Alpikom webmail system http://www.alpikom.it -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be