Can I indicate to clients that SPNEGO is supported but NTLM is not for HTTP requests?
Asked Answered
D

3

7

The two WWW-Authenticate additions Microsoft makes use of that I am currently aware of are

  • NTLM
  • Negotiate

If Negotiate is sent down from the server, based on a set of conditions Kerberos will be used

  • Intranet Zone
  • Accessing the server using a Hostname rather then IP
  • Integrated Windows Authentication in IE is enabled, the host is trusted in Firefox
  • The Server is not local to the browser
  • The client's Kerberos system is authenticated to a domain controller

Then Kerberos will be attempted between the server and the client, if something above is not met, then NTLM will be attempted.

My question is, is there some way for the server to indicate that NTLM should not be sent? I currently handle this by keeping track of the request in the session, and if a NTLM message is received, it disables Kerberos and WWW-Authenticate for the rest of that sessions life.

Drusy answered 28/1, 2009 at 23:53 Comment(2)
Are you disabling NTLM because of delegation issues?Joellajoelle
No, it's simply something I don't currently support in the Tomcat JAAS plugin I've made. It only supports Kerberos/SPNEGO.Drusy
V
3

The initial WWW-Authenticate header only specifies negotiate. It can't say anything more, such as "no NTLM".

I think it's possible to respond to the first Authenticate: {Base64 NTLMSSP} header sent by the client with 401 unauthorized and a second Negotiate header, which can include a response token, possibly including a SupportedMechanisms that specifies Kerberos Only.

But I suspect that will only get you "unauthorized", because it was falling back to NTLM in the first place.

Verminous answered 11/6, 2009 at 3:49 Comment(2)
I will look into this. Most cases of Kerberos/SPNEGO being downgraded I've seen either because Kerberos is failing in that Windows desktop or misconfiguration of the environment. There are some very arbitrary and undocumented requirements IE has to do Kerberos over NTLM.Drusy
@ScottMarkwell I've noticed the same, but it would be nice to get IE to prompt for credentials and maybe even get a service ticket directly instead of going down the NTLM fallback route.Verminous
C
3

Yes you can. Take a look at the reference docs of the SPNEGO HTTP Servlet Filter project.

Crustaceous answered 4/11, 2009 at 16:28 Comment(1)
I am actually only worried about the protocol level of the HTTP/WWW-Authenticate Negotiate. I actually rolled my own implementation. Thanks though for linking to this project, as I wasn't aware someone had also built a solution (looks like it got onto sourceforge ~2weeks ago)Drusy
N
2

You can do that, (at least in theory) yes. IE might do totally weird stuff like sending Kerberos Tokens without the appropriate SPNEGO ASN.1 encapsulation, but well, thats a different topic. In a conforming SPNEGO (https://www.rfc-editor.org/rfc/rfc4178#section-4.1) Implementation you could do that.

If you can manipulate the NegTokenInit mechTypes member to only contain Kerberos it forces the client to send Kerberos or fail to authenticate.

Nephology answered 23/10, 2009 at 12:53 Comment(1)
The general issue is that Micorsoft mixed SPNEGO/GSS-API with their existing NTLM functionality. So you aren't guaranteed an actual negotiation.Drusy

© 2022 - 2024 — McMap. All rights reserved.