looking for a way to provide non-interactive authe - WeOnlyDo Discussion board

looking for a way to provide non-interactive authe (wodWebServer / wodWebServer.NET)

by cedral, Wednesday, September 06, 2006, 03:30 (6653 days ago)

NTLM should provide this but since it appears to be implemented to allow you to provide your own LANMANAGER security provider rather than against an existing one.
Am I not seeing something or would the com dll need to be extended for this? Is the COM dll using sspi internally for authentication? If so could some way be setup for it to support negotiate against a specified security provider?

Any help appreciated. I am working for David Keenan/Errol Siegel at Serengeti Systems.

Re: looking for a way to provide non-interactive a

by wodDrazen, Wednesday, September 06, 2006, 08:50 (6653 days ago) @ cedral

Hi,


wodWebServer's AuthenticationType Property allows you to use NTLM authentication.
If you set AuthenticationType Property to AuthNTLM wodWebServer will use NTLM authentication.

If you also set Authentication property to AuthRequired, client then *must* provide his credentials to access resources on your server. Failing to do so will cause 'Forbidden' response to be returned to him automatically.

When client tries to authenticate, UserAuthenticate event will fire where you must set Action argument to Accept or Deny. If you set it to Deny then wodWebServer will automatically redirect response to 'Forbidden' response. When set to Allow, wodWebServer will proceed as usual - firing RequestDone event to handle and send response.

More help for AuthenticationType Property you can find here:
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~wodWebServer~AuthenticationType.html

More help for Authetication Property you can find here:
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~wodWebServer~Authentication.html

for UserAuthentication Event here:
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~wodWebServer~UserAuthenticate_EV.html

Hope I helped.


Regards,
Drazen

Re: looking for a way to provide non-interactive a

by cedral, Wednesday, September 06, 2006, 17:09 (6653 days ago) @ wodDrazen


From UserAuthenticate...

Case AuthNTLM
If User.Login = something And User.Password = User.TestNTLMResponse( something ) Then
Action = Allow
Else
Action = Deny
End If

This appears to require me to know the password to hash and compare with the incoming hash. Since I want to authenticate against a domain I won't know the password to use for the comparison. Am I misinterpreting something ?

Re: looking for a way to provide non-interactive a

by wodDamir, Wednesday, September 06, 2006, 18:32 (6653 days ago) @ cedral

Hi Cedral,

If you wish to authenticate by user domain, you can use Domain Property inside UserAuthenticate Event.

I.e. you could do something like this:

If User.Login = user_login And User.Domain = user_domain Then
Action = Allow
Else
Action = Deny
End If

This way you wouldn't need to check/know user password in order to authenticate.

Hope this helps.

Regards,
Damba

Re: looking for a way to provide non-interactive a

by cedral, Wednesday, September 06, 2006, 21:55 (6653 days ago) @ wodDamir

That doesn't seem like a good idea unless you are saying that the user has already been authenticated against the domain inside wodWebServer before UserAuthenticate is called. I can't just believe them when they tell me they are part of the domain. I have to verify it, either with ntlm challenge/response, in which I will never know their password or with kerberos ticket verification, in which I will never know their password.

Now of course sspi provides an abstracted interface using the negotiate protocol to authenticate at an abstracted level without dealing with the details of the specific system (kerberos/ntlm) used. which is why I asked about it.

Re: looking for a way to provide non-interactive a

by wodSupport, Wednesday, September 06, 2006, 23:21 (6653 days ago) @ cedral

I see the problem. NTLM doesn't send plaintext (nor you can retrieve it) password from the client, and if you also don't know if on server's side, you can't correctly authenticate.

I'm not sure how to accomplish this. I have to read few docs to see how to workaround this problem. Will see how easy/hard it would be to update wodWebServer to support such cases.

Kreso

Re: looking for a way to provide non-interactive a

by cedral, Friday, September 08, 2006, 02:42 (6651 days ago) @ wodSupport

Cool, let me know what your find.

Re: looking for a way to provide non-interactive a

by cedral, Monday, September 11, 2006, 20:03 (6648 days ago) @ cedral

Any news on this?

Re: looking for a way to provide non-interactive a

by wodSupport, Monday, September 11, 2006, 20:07 (6648 days ago) @ cedral

Unfortunatelly no. I didn't find any docs on how to call LogonUser API without knowing actual password, and I never receive it from remote side.

Kreso

Re: looking for a way to provide non-interactive a

by cedral, Tuesday, September 12, 2006, 20:35 (6647 days ago) @ wodSupport

You wouldn't be able to it that way. However there is an API specifically for this purpose provided by MS. SSPI, I think that stands for standard security provider interface. There is good article on how to use it over at msdnmag. It lists http as one of the protocols it can be piggy backed on.

http://msdn.microsoft.com/msdnmag/issues/0800/security/

Any chance of getting this implemented in your WebServer and HttpDLX?

Re: looking for a way to provide non-interactive a

by cedral, Wednesday, September 20, 2006, 23:13 (6639 days ago) @ cedral

So whats the word? is this doable?

Re: looking for a way to provide non-interactive a

by wodSupport, Wednesday, September 20, 2006, 23:25 (6639 days ago) @ cedral

Grof's doing it. I should hear from him soon about results.

Kreso

Re: looking for a way to provide non-interactive a

by wodSupport, Monday, September 25, 2006, 01:39 (6635 days ago) @ wodSupport

Done! There is now UseNTAuthentication property that should take care of all of that. Can you check it out?

Kreso

Re: looking for a way to provide non-interactive a

by cedral, Monday, September 25, 2006, 02:41 (6634 days ago) @ wodSupport

Yes, give me a day or so. Did you put the client side into the HttpDLX object?

Re: looking for a way to provide non-interactive a

by wodSupport, Monday, September 25, 2006, 08:26 (6634 days ago) @ cedral

I'm not sure I understand. wodHttpDLX supports NTLM long time ago, what additional code is required?

Kreso

Re: looking for a way to provide non-interactive a

by cedral, Wednesday, September 27, 2006, 00:03 (6633 days ago) @ wodSupport

I need a little more detail on how this is setup to work.
That usentauthentication is a property of which object? What is the chain of events when it succeeds or fails? Does UserAuthenticate still get called? basically where in the chain of events is this and what does it do to the events?

Re: looking for a way to provide non-interactive a

by wodSupport, Wednesday, September 27, 2006, 01:06 (6633 days ago) @ cedral

You should check out helpfile at

http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~WebUser~UseNTAuthentication.html

I think it should help you understand how it works.

Regards,
Kreso