How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header

Asked 8/4, 2011 at 15:47 Answered 16/8, 2017 at 11:15

Solved .net kerberos ntlm negotiate www-authenticate

I am programming a client application in .Net that communicates with server via HTTP.

I need to set different request buffering options in case of NTLM and Kerberos authorization.

How to find out if NTLM or Kerberos is used? Is it possible to somehow decode 'WWW-Authenticate: Negotiate' header?

Sheep answered 8/4, 2011 at 15:47 Comment(0)

You will find answer here.

Short answer is:

1.Capture some successfully authorized request using Fiddler tool.
2.Choose "Inspectors" -> "Headers" tab.
3.Pay attention at "Cookies / Login" section, "Authorization" header.

If the Authorization token begins with "YII" then Kerberos is used, but if it begins with "TlR" then Kerberos is not used.

For example Kerberos:

Authorization: Negotiate YIIVDAYGKwYBE...

Not Kerberos:

Authorization: Negotiate TlRMTVNTUA...

Seasick answered 9/9, 2013 at 15:6 Comment(7)

Excellent! Very simple, and it works in .Net/C#. Thank you Taras! – Sheep 11/9, 2013 at 17:33

Also on the Inspectors/Auth tab it will say something like 'Authorization Header (Negotiate) appears to contain a Kerberos ticket' – Sauger 6/3, 2014 at 13:8

What if begins with an "oS"? – Hanafee 11/11, 2014 at 16:9

Fiddler sets itself up as a proxy and can cause kerberos to fail in some situations, which would lead to an NTLM fall-back for most Negotiate situations. Microsoft advised me of this in a support ticket in the past, when I THOUGHT I had proven that kerberos wasn't working for a particular application. It is best to use less intrusive logging methods to inspect the authorization header, for instance "netsh trace": blogs.msdn.com/b/canberrapfe/archive/2012/03/31/… – Hrutkay 26/5, 2015 at 17:41

+1 for "YII", I'm surprised searching for the first few bytes in hex didn't immediately flag up "this is Kerberos" when I was trying to identify the blob". – Bahr 26/6, 2017 at 8:33

Worth noting: Base64Decode("TlRMTVNT") = "NTLMSS" – Meyerhof 31/12, 2020 at 17:56

@Hanafee that probably means you are looking at a continued negotiation token, I think the "YII" and "TlR" rule only applies to the first token sent from the browser not subsequent tokens. – Lay 5/1, 2021 at 17:4

Parsing a Negotiate header is sort of a tedious exercise as it's built using ASN.1 DER.

That said, you may not necessarily need to decode this however to make a good assumption about the payload. While there is a mechanism in GSSAPI for NTLM (more on that below), in my experience clients do not actually use it, they simply send NTLM headers. In my (admittedly strictly controlled) environment, if I see Authorization: NTLM ... then this is guaranteed to be NTLM. If I see Authorization: Negotiate ... then this is guaranteed to be Kerberos.

Strictly speaking, you should look at the mechanism list in the header to determine whether the mechanism was NTLM or Kerberos. I would recommend either using an off-the-shelf ASN.1 decoder, or looking at Microsoft's decoding example. You're going to want to look for the SPNEGO OID (1.3.6.1.5.5.2), then look for the mechanism type sequence within that. The first mechanism in the sequence corresponds to the response token payload, so you can look at that OID to determine the mechanism. Some known OIDs for Kerberos are:

1.2.840.113554.1.2.2 (Kerberos 5)
1.2.840.48018.1.2.2 (Microsoft Kerberos 5)
1.3.5.1.5.2 (Kerberos 5 OID 2)

To my knowledge, the only OID for NTLM is (referenced from this blog):

1.3.6.1.4.1.311.2.2.10 (NLMP NTLM)

Juliettajuliette answered 14/7, 2011 at 19:17 Comment(6)

It's absolutely legal and possible to use NTLM inside Negotiate, and in my experience, it's pretty common. If you simply base64 decode the header, it should be obvious which SSP is in use. E.g. take a peek inside Fiddler's AUTH tab. – Apanage 23/4, 2013 at 17:5

@EricLaw: that's why I suggested parsing the mechanism list. – Juliettajuliette 23/4, 2013 at 18:0

@EricLaw: and if there's some more trivial way to determine the mechanism than by parsing it properly, then that would be helpful knowledge to have. Is that not what fiddler is doing? – Juliettajuliette 24/4, 2013 at 13:51

There is also an OID for NegoEx: 1.3.6.1.4.1.311.2.2.30. This is used to extend "authorization: negotiate" headers to support new protocols. – Emergency 18/9, 2013 at 18:11

false="If I see Authorization: Negotiate ... then this is guaranteed to be Kerberos" – Uncircumcision 15/8, 2017 at 15:38

@Uncircumcision I though that I was pretty clear with the "in my environment" disclaimer, but thanks anyway for the downvote! – Juliettajuliette 15/8, 2017 at 19:57

If the server advertises to user Negotiate you are free to use Kerberos, NTLM oder something is supported by SPNEGO. Though, there is no guarantee that the server supports every wrapped auth method sent by the client.

Copeck answered 14/7, 2011 at 16:52 Comment(1)

I am programming it with .Net and I can only specify Negotiate on a client side. So finally I do not know if NTLM or Kerberos was chosen. Any idea how to detect which was selected? – Sheep 14/7, 2011 at 17:54

Yes; just Base64 decode it and you will see "NTLM" or "HTTP".

v = BitConverter.ToString(Convert.FromBase64String(v.Replace("Negotiate: ","")));
if (v.indexOf("NTLM") > -1) {
    //...
}

Uncircumcision answered 16/8, 2017 at 11:15 Comment(0)

Recommended topics

Hot tags