looking for a way to provide non-interactive authe (wodWebServer / wodWebServer.NET)
by cedral, Wednesday, September 06, 2006, 03:30 (6445 days ago)
NTLM should provide this but since it appears to be implemented to allow you to provide your own LANMANAGER security provider rather than against an existing one.
Am I not seeing something or would the com dll need to be extended for this? Is the COM dll using sspi internally for authentication? If so could some way be setup for it to support negotiate against a specified security provider?
Any help appreciated. I am working for David Keenan/Errol Siegel at Serengeti Systems.
Re: looking for a way to provide non-interactive a
by wodDrazen, Wednesday, September 06, 2006, 08:50 (6445 days ago) @ cedral
Hi,
wodWebServer's AuthenticationType Property allows you to use NTLM authentication.
If you set AuthenticationType Property to AuthNTLM wodWebServer will use NTLM authentication.
If you also set Authentication property to AuthRequired, client then *must* provide his credentials to access resources on your server. Failing to do so will cause 'Forbidden' response to be returned to him automatically.
When client tries to authenticate, UserAuthenticate event will fire where you must set Action argument to Accept or Deny. If you set it to Deny then wodWebServer will automatically redirect response to 'Forbidden' response. When set to Allow, wodWebServer will proceed as usual - firing RequestDone event to handle and send response.
More help for AuthenticationType Property you can find here:
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~wodWebServer~AuthenticationType.html
More help for Authetication Property you can find here:
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~wodWebServer~Authentication.html
for UserAuthentication Event here:
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~wodWebServer~UserAuthenticate_EV.html
Hope I helped.
Regards,
Drazen
Re: looking for a way to provide non-interactive a
by cedral, Wednesday, September 06, 2006, 17:09 (6444 days ago) @ wodDrazen
From UserAuthenticate...
Case AuthNTLM
If User.Login = something And User.Password = User.TestNTLMResponse( something ) Then
Action = Allow
Else
Action = Deny
End If
This appears to require me to know the password to hash and compare with the incoming hash. Since I want to authenticate against a domain I won't know the password to use for the comparison. Am I misinterpreting something ?
Re: looking for a way to provide non-interactive a
by wodDamir, Wednesday, September 06, 2006, 18:32 (6444 days ago) @ cedral
Hi Cedral,
If you wish to authenticate by user domain, you can use Domain Property inside UserAuthenticate Event.
I.e. you could do something like this:
If User.Login = user_login And User.Domain = user_domain Then
Action = Allow
Else
Action = Deny
End If
This way you wouldn't need to check/know user password in order to authenticate.
Hope this helps.
Regards,
Damba
Re: looking for a way to provide non-interactive a
by cedral, Wednesday, September 06, 2006, 21:55 (6444 days ago) @ wodDamir
That doesn't seem like a good idea unless you are saying that the user has already been authenticated against the domain inside wodWebServer before UserAuthenticate is called. I can't just believe them when they tell me they are part of the domain. I have to verify it, either with ntlm challenge/response, in which I will never know their password or with kerberos ticket verification, in which I will never know their password.
Now of course sspi provides an abstracted interface using the negotiate protocol to authenticate at an abstracted level without dealing with the details of the specific system (kerberos/ntlm) used. which is why I asked about it.
Re: looking for a way to provide non-interactive a
by wodSupport, Wednesday, September 06, 2006, 23:21 (6444 days ago) @ cedral
I see the problem. NTLM doesn't send plaintext (nor you can retrieve it) password from the client, and if you also don't know if on server's side, you can't correctly authenticate.
I'm not sure how to accomplish this. I have to read few docs to see how to workaround this problem. Will see how easy/hard it would be to update wodWebServer to support such cases.
Kreso
Re: looking for a way to provide non-interactive a
by cedral, Friday, September 08, 2006, 02:42 (6443 days ago) @ wodSupport
Cool, let me know what your find.
Re: looking for a way to provide non-interactive a
by cedral, Monday, September 11, 2006, 20:03 (6439 days ago) @ cedral
Any news on this?
Re: looking for a way to provide non-interactive a
by wodSupport, Monday, September 11, 2006, 20:07 (6439 days ago) @ cedral
Unfortunatelly no. I didn't find any docs on how to call LogonUser API without knowing actual password, and I never receive it from remote side.
Kreso
Re: looking for a way to provide non-interactive a
by cedral, Tuesday, September 12, 2006, 20:35 (6438 days ago) @ wodSupport
You wouldn't be able to it that way. However there is an API specifically for this purpose provided by MS. SSPI, I think that stands for standard security provider interface. There is good article on how to use it over at msdnmag. It lists http as one of the protocols it can be piggy backed on.
http://msdn.microsoft.com/msdnmag/issues/0800/security/
Any chance of getting this implemented in your WebServer and HttpDLX?
Re: looking for a way to provide non-interactive a
by cedral, Wednesday, September 20, 2006, 23:13 (6430 days ago) @ cedral
So whats the word? is this doable?
Re: looking for a way to provide non-interactive a
by wodSupport, Wednesday, September 20, 2006, 23:25 (6430 days ago) @ cedral
Grof's doing it. I should hear from him soon about results.
Kreso
Re: looking for a way to provide non-interactive a
by wodSupport, Monday, September 25, 2006, 01:39 (6426 days ago) @ wodSupport
Done! There is now UseNTAuthentication property that should take care of all of that. Can you check it out?
Kreso
Re: looking for a way to provide non-interactive a
by cedral, Monday, September 25, 2006, 02:41 (6426 days ago) @ wodSupport
Yes, give me a day or so. Did you put the client side into the HttpDLX object?
Re: looking for a way to provide non-interactive a
by wodSupport, Monday, September 25, 2006, 08:26 (6426 days ago) @ cedral
I'm not sure I understand. wodHttpDLX supports NTLM long time ago, what additional code is required?
Kreso
Re: looking for a way to provide non-interactive a
by cedral, Wednesday, September 27, 2006, 00:03 (6424 days ago) @ wodSupport
I need a little more detail on how this is setup to work.
That usentauthentication is a property of which object? What is the chain of events when it succeeds or fails? Does UserAuthenticate still get called? basically where in the chain of events is this and what does it do to the events?
Re: looking for a way to provide non-interactive a
by wodSupport, Wednesday, September 27, 2006, 01:06 (6424 days ago) @ cedral
You should check out helpfile at
http://www.weonlydo.com/WebServer/Help/WODWEBSERVERLib~WebUser~UseNTAuthentication.html
I think it should help you understand how it works.
Regards,
Kreso
