winapi - NTLM Authorization in Perl -

-

i trying implement ntlm authorisation web server written in perl (or perhaps xs module). understanding should work in following way:

c -> s: s -> c: 401, www-authenticate: ntlm c -> s: get, authorization: ntlm [type1 message] s -> c: 401, www-authenticate: ntlm [type2 message] c -> s: get, authorization: ntlm [type3 message]  if s.check([type3 message]):   s -> c: 200 else:   s -> c: 401

to generate type3 message have used both authen::perl::ntlm , authen::ntlm::http, both of these seem generate messages fine, however, offer no functionality check type3 message.

my next step has been try , use win32::intauth authenticate ntlm token. this have been running in trouble, developer , other snippets of information found searching module should able authenticate ntlm binary token.

the module wraps around win32 api calls, namely acquirecredntialshandle, acceptsecuritycontext, completeauthtoken , impersonatesecuritycontext.

unfortunately attempts authenticate ntlm token have failed @ acceptsecuritycontext either sec_e_invalid_token or sec_e_insufficient_memory leading me suggest ntlm token isn't correct. below snippets of code show methods.

# other code ... if (not defined $headers->header('authorization')) {     inithandshake($response);  } else {      $authheader = $headers->header('authorization');     if ($authheader =~ m/^ntlm\s(.+)$/i) {          $message = $1;         if (length($message) == 56) {             handletype1($response, $message);         } else {             handletype3($response, $message);         }     } else {         printf "error - unable pull out ntlm message.\n";         print $authheader . "\n";     } }  ...  sub handletype3 {     $response = shift();     $message = shift();     print "handletype3 - ", $message, "\n";     $auth = win32::intauth->new(debug => 1);     $token = $auth->get_token_upn(decode_base64($message)) or die                             "couldn'timpersonate user, ", $auth->last_err_txt();     print "hurrargh. user ", $auth->get_username(), " authed!\n";     $response->status(200); }  ..

the full code can viewed here: http://codepad.org/cpmwnfru

i managed working bastardizing win32::intauth (which believe has bug in it). wasn't holding partial context created during creation of type 2 token, , fact there error in win32::intauth:

my $buf_size     = 4096; $sec_inbuf    = pack("l l p$buf_size", $buf_size, secbuffer_token, $token);

this causing token error wasn't correct length of token, therefore:

my $sec_inbuf    = pack("l l p" . length($token), length($token), secbuffer_token, $token);

produced correct results.

the previous code changed to:

... sub handletype1 {     $response = shift();     $message = shift();                                    print "handletype1 - |", ${$message}, "|\n";     $challenge = acceptsecuritycontext(${$message});     ${$response}->status(401);     ${$response}->header("www-authenticate" => "ntlm " . $challenge); } ... sub handletype3 {     $response = shift();                    $message = shift();     print "handletype3 - ", ${$message}, "\n";     if (acceptsecuritycontext(${$message})) {         ${$response}->status(200);     } else {         ${$response}->status(401);     } } ...

acceptsecuritycontext function follows pseudoish code:

credentials = win32->acquirecredentialshandle(...) challenge = win32->acceptsecuritycontext(credentials, token, globalctx ? globalctx : 0, ...)

hopefully helps people might in similar boat. feel free contact me full demo.


Comments

Post a Comment

Popular posts from this blog

c# - How to get the current UAC mode -

-
can check current uac type set in device before running application through c#. i got know approach check whether current user administrator or not. but, need know uac type set (i.e. default/never notify) internal logic. is possible? please help. this article self-elevation , checking level program runs in. due security reasons i'm afraid won't able retrieve uac level set. http://code.msdn.microsoft.com/windowsdesktop/csuacselfelevation-644673d3
Read more

postgresql - Lazarus + Postgres: incomplete startup packet -

-
i've been building lazarus pascal program using postgresql on back-end. used work fine following lines opening db. dbconn:= tpqconnection.create(nil); dbconn.hostname := 'localhost'; dbconn.databasename:= 'dbhrs'; dbconn.username:='mizk'; dbconn.password:='123'; dbconn.open; if dbconn.connected openhrsdb := true else openhrsdb := false; but moment change localhost server's ip (on lan), program stops. no errors or warnings. have no clue happening. here related details may narrow down problem. the program i'm running workstation on same lan server. both machines run ubuntu 12.04 desktop i can access postgres db on server using pgadmin iii, guess it's not firewall issue. i have allowed postgresql ufw , ufw disabled. strangely, when firewall disabled, can ssh server terminal using workstation. when it's enabled, can't my biggest concern right why pascal program not working when i...
Read more

javascript - Ajax jqXHR.status==0 fix error -

-
$.ajax({ url: urlstring, datatype: "json", type: "get", success: function (data) { alert(data); }, error: function (jqxhr, exception) { if (jqxhr.status === 0) { alert('not connect.\n verify network.'); } else if (jqxhr.status == 404) { alert('requested page not found. [404]'); } else if (jqxhr.status == 500) { alert('internal server error [500].'); } else if (exception === 'parsererror') { alert('requested json parse failed.'); } else if (exception === 'timeout') { alert('time out error.'); } else if (exception === 'abort') { alert('ajax request aborted.'); } else { alert('uncaught error.\n' + jqxhr.responsete...
Read more