none
NTLMv1 authentication fails over LDAP (SASL/GSS-SPNEGO) RRS feed

  • Question

  • Hello,

     

    I have a deployment which boils down to the following -


    |  WinXp  |  <======>  |  Web Server   | <=======> |  Win2k3 Server  |

        [PC]                                 [WS]                                      [AD]      

     

     

    The user on the PC(IE 8.0) tries to access pages on WS and is granted access only after the user authenticates to the AD over LDAP The message sequence followed here is quite similar to Section 4.1 in [MS-NTHT] - http://msdn.microsoft.com/en-us/library/cc237488%28v=prot.10%29.aspx

    1. [PC] => [WS] :: GET  index.html

    2. [WS] => [PC] :: 401 Unauthorized; www-authenticate: NTLM

    3. [PC] => [WS] :: GET  index.html; Authorization: NTLM TlRMT...[type-1]

    4. [WS] => [AD] :: Bind request (SASL; mechanism: GSS-SPNEGO) NTLMSSP_NEGOTIATE

    5. [AD] => [WS] :: Bind response(saslBindInProgress) NTLMSSP_CHALLENGE

    6. [WS] => [PC] :: 401 Unauthorized; www-authenticate: NTLM TlRMT...[type-2]

    7. [PC] => [WS] :: GET  index.html; Authorization: NTLM TlRMT...[type-3]

    8. [WS] => [AD] :: Bind request (US\jimsasl) NTLMSSP_AUTH; NTLM reponse; LM response

    9. [AD] => [WS] ::Bind response (invalidCredentials); 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece

     

    The AD always returns "invalidCredentials" despite the username/password being correct(verified multiple times). The web server is copying the NTLM messages byte-by-byte from HTTP to LDAP and vice-versa. I have also verified that web server copies the NTLM messages correctly.

     

    Any ideas how to debug this issue?

     

    Thanks in advance,

    Puneeth.

    Monday, July 18, 2011 6:28 PM

Answers

  • Forum Update

    --------------------------

    This issue was resolved off line and the following reply solved customers problem:

    --------------------------------------------------------------------------------------------------------

    Hi Puneeth:

    Your deployment is similar to a man in the middle attack called reflection. When I looked at your traces, I noticed that you are using the same system as client and DC. As such, the server receives the same AUTHENTICATE_MESSAGE that it generated as client. There are checks against this type of attack and authentication will not be successful.

     

    In case of your successful case, while still a type of man in the middle attack, it goes through since the client and server are different systems (as far as I can tell by looking at your network traces).

     

    The solution is to not use the same system for both client and server. If for some reason this is not possible, you can use the methods suggested in the following knowledge base article. Please be informed that following the article will lower your security and will make your server vulnerable to malicious attacks.

     

     

    http://support.microsoft.com/kb/914060


    Regards, Obaid Farooqi
    Monday, September 12, 2011 3:00 PM
    Owner

All replies

  • Hi Puneeth:

    I will help you with this isssue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi
    Monday, July 18, 2011 8:44 PM
    Owner
  • Hi Puneeth:

    Are you able to bind to DC directly, say by using ldp.exe for the same user?

    Please send me the network traces from PC to WS and from WS to DC. You can sen the traces to dochelp <at> microsoft <dot> com to my attention.


    Regards, Obaid Farooqi
    Wednesday, July 20, 2011 3:32 PM
    Owner
  • Hi Obaid,

     

    Yes, i am able to bind to the DC directly for the same user and using NTLM as the method for Bind options

     

    res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 4230); // v.3
        {NtAuthIdentity: User='ryan'; Pwd= <unavailable>; domain = 'us.isrg2'.}
    Authenticated as dn:'ryan'.

     

    I have sent the packet captures as requested. Meanwhile, is there any way i can enable event viewer auditing for NTLM/LDAP bind?

     

    Thanks,

    Puneeth.
    Thursday, July 21, 2011 5:16 AM
  • Forum Update

    --------------------------

    This issue was resolved off line and the following reply solved customers problem:

    --------------------------------------------------------------------------------------------------------

    Hi Puneeth:

    Your deployment is similar to a man in the middle attack called reflection. When I looked at your traces, I noticed that you are using the same system as client and DC. As such, the server receives the same AUTHENTICATE_MESSAGE that it generated as client. There are checks against this type of attack and authentication will not be successful.

     

    In case of your successful case, while still a type of man in the middle attack, it goes through since the client and server are different systems (as far as I can tell by looking at your network traces).

     

    The solution is to not use the same system for both client and server. If for some reason this is not possible, you can use the methods suggested in the following knowledge base article. Please be informed that following the article will lower your security and will make your server vulnerable to malicious attacks.

     

     

    http://support.microsoft.com/kb/914060


    Regards, Obaid Farooqi
    Monday, September 12, 2011 3:00 PM
    Owner