This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming Technical chat Windows NTLM Certification Protocol Process
View: 10977|Reply: 0

Windows NTLM Certification Protocol Process

[Copy link]
Posted on 2020-9-5 13:28:14 | | | |
IIS offers many different authentication technologies. One of them is the integration of Windows authentication. Integrated Windows Authentication leverages negotiation Kerberos or NTLM to authenticate users based on encrypted ticket messages passed between the browser and the server.

The most common application scenario of NTLM authentication is probably the authentication used in browsers (http protocol). But in reality, NTLM only specifies the authentication process and authentication message format. It is not related to specific agreements. So there is no necessarily connection with http. The browser only carries the NTLM message on the http protocol header and passes the authentication. We know that http is usually in plaintext, so if the direct transmission of passwords is very insecure, NTLM effectively prevents this problem.   

Certification process



NTLM authentication requires three steps to complete, and you can view the detailed request process through the fiddler toolbox.






Step 1

The user logs in to the client host by entering the Windows account number and password. Before logging in, the client caches the hash of the entered password, and the original password is discarded ("the original password cannot be cached under any circumstances", this is a basic security guideline). A user who successfully logs in to the client Windows needs to send a request to the other party if they try to access server resources. The request contains a username in plaintext.

Step 2

When the server receives the request, it generates a 16-bit random number. This random number is called a challenge or nonce. The challenge is saved before the server sends it to the client. Challenges are sent in plaintext.


Step 3

After receiving the challenge sent back by the server, the client encrypts it with the password hash saved in step 1, and then sends the encrypted challenge to the server.


Step 4

After receiving the encrypted challenge sent back by the client, the server sends an authentication request to the client to the DC (Domain). The request mainly includes the following three contents: client username; Challenge and original challenge with encrypted client password hash.


Steps 5 and 6

DC encrypts the original challenge by obtaining the password hash of the account based on the username. If the encrypted challenge is the same as the one sent by the server, it means that the user has the correct password and the verification passes, otherwise the verification fails. The DC sends the verification results to the server and finally feeds back to the client.


Reference articles:

The hyperlink login is visible.
The hyperlink login is visible.
The hyperlink login is visible.




Previous:Azure DevOps 2020 (III) limits search (ES) memory footprint
Next:Azure DevOps 2020 (II) Azure DevOps Server Express 2020 RC2 installation tutorial

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com