Login/Register
How to transform NTLM credentials to Kerberos token in Node.js
Asked Answered
node.jskerberosntlmntlm-authenticationntlmv2
S

2

17

I want to build a server using Node.js, which acts as some kind of proxy. The clients that connect to my server use NTLMv2 for authentication (there is no chance to change this), but the upstream server my server shall connect to requires a Kerberos token.

So, my question is pretty simple: How do I, using Node.js, transform the information provided by NTLMv2 into a Kerberos token? On npm, so far I have found modules for NTLMv2 authentication, but I somehow would probably need to talk to Windows to translate NTLMv2 data of a user into a token for this user.

Any hints on this, how to approach this problem?

Sailboat answered 8/7, 2019 at 13:47 Comment(2)
Not really sure how this is possible as I'm not familiar with ntlmv2/kerberos. But do you really need to pass/transform the client's authentication information to kerberos for each proxied request? Maybe your node-server could just authenticate as a client to the kerberos-server upon startup and reuse the connection?Marybelle
The Node.js server is running as a Windows service and may serve multiple users, so unfortunately this is not an option.Sailboat
K
2

Absolutely not! NTLM and Kerberos operate completely different. First of all, I would highly recommend get rid off NTLM as fast as you can.

You can solve your problem in an easy fashion if you can access C interfaces. I also assume you MIT Kerberos on a Unix-like OS like CentOS or FreeBSD, etc.

NTLM will provide you the downlevel logon name. You need first to convert the NetBIOS domain to a DNS domain via LDAP (use libopenldap) then you can construct the Kerberos principal or the enterprise principal for your client. Then create a service account in your KDC and enable protocol transition and contrained delegation on that account for the target service. Now request a TGT on behalf of that user principal and request a service ticket for the user, voila you can access your Kerberos backend. Here is a decent read: https://k5wiki.kerberos.org/wiki/Projects/Services4User

If you run HTTPd as your reverse proxy, it might handle all the magic for your with mod_auth_gssapi.

On Windows, this is a bit of a pain with the security API and SSPI. While the the principal transformation comes for free with Windows. You'll need LsaLogonUser with KERB_S4U_LOGON, impersonate with that handle and then require SSPI to acquire a cred handle...

Kast answered 8/7, 2019 at 19:47 Comment(5)
Thanks for your answer. Some parts are described very briefly, can you maybe extend your answer with a few more details, so that it becomes easier to understand for someone to whom most of these terms are new? IOW: Could you maybe add some more information, on why one needs to do this and that, and a few more details on how to do them?Sailboat
Which exactly...?Kast
Basically, all of them 😉Sailboat
This will take a while. I'd recommend to do some research. You will require to write native code to map that into JS space.Kast
in addition to @Kast ' answer here is a nice flowchart which shows why ntlm can't be converted to kerberos dzone.com/articles/… => Kerberos. In Short. The kerberos server gives the ticket to the client which sends the ticket to the server for authentication.Republic
M
2

If your KDC allows constrained delegation, you can setup your intermedaite server to allow impersonation. This way it can established security context with the client in one mechanism (in your case, NTLM), and talk to the backend server on behalf of the client in another mechanism (Kerberos). Google for "constrained delegation" and "protocol transition" for more information. Hope this helps.

Mesic answered 18/7, 2019 at 6:36 Comment(2)
You are repeating the I wrote, why?Kast
Sorry, I saw your "absolutely not" first line and then started to write my answer. I didn't realize you actually provided a solution.Mesic

© 2022 - 2024 — McMap. All rights reserved.