如何使用NTLM身份验证与Active Directory
我想对我们的内部网站之一执行NTLM身份验证和一切工作。在一块拼图,我没有是如何从NTLM考虑信息和活动目录进行身份验证。
I am trying to implement NTLM authentication on one of our internal sites and everything is working. The one piece of the puzzle I do not have is how to take the information from NTLM and authenticate with Active Directory.
有href="http://www.innovation.ch/personal/ronald/ntlm.html" rel="nofollow"> NTLM 和的使用密码加密的,这是我用来实现这一点,但我不知道如何验证用户的密码是否有效。
There is a good description of NTLM and the encryption used for the passwords, which I used to implement this, but I am not sure of how to verify if the user's password is valid.
我使用ColdFusion,但解决这一问题,可以在任何语言(Java,Python和PHP等)。
I am using ColdFusion but a solution to this problem can be in any language (Java, Python, PHP, etc).
编辑:
我使用的ColdFusion在红帽企业版Linux。不幸的是,我们不能使用IIS管理这,而是要编写或使用第三方工具这一点。
I am using ColdFusion on Redhat Enterprise Linux. Unfortunately we cannot use IIS to manage this and instead have to write or use a 3rd party tool for this.
更新 - 我得到了这个工作,这里是我做过什么的
我就从samba.org的 JCIFS库。
I went with the JCIFS library from samba.org.
请注意,以下的方法将只与NTLMv1身份和不工作,NTLMv2的工作。如果您无法使用NTLMv1身份,你可以尝试 Jespa ,它支持NTLMv2的,但不是开源的,或者您可以使用的Kerberos / SPNEGO。
Note that the method below will only work with NTLMv1 and DOES NOT work with NTLMv2. If you are unable to use NTLMv1 you can try Jespa, which supports NTLMv2 but is not open source, or you can use Kerberos/SPNEGO.
下面是我的web.xml:
Here is my web.xml:
<web-app>
<display-name>Ntlm</display-name>
<filter>
<filter-name>NtlmHttpFilter</filter-name>
<filter-class>jcifs.http.NtlmHttpFilter</filter-class>
<init-param>
<param-name>jcifs.http.domainController</param-name>
<param-value>dc01.corp.example.com</param-value>
</init-param>
<init-param>
<param-name>jcifs.smb.client.domain</param-name>
<param-value>CORP.EXAMPLE.COM</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>NtlmHttpFilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
</web-app>
现在匹配所有网址 /管理/ * 将需要NTLM身份验证。
Now all URLs matching /admin/* will require NTLM authentication.
你真正问的是:有没有什么办法来验证WWW验证:NTLM提交的IE浏览器,做单时,其他HTTP客户端令牌登录(SSO)。 SSO是当用户输入他们的密码单一的时候,当他们做按Ctrl-Alt-Del组合和工作站记住并使用它作为必要透明地访问其他资源,而不会再次提示用户输入密码。
What you're really asking is: Is there any way to validate the "WWW-Authenticate: NTLM" tokens submitted by IE and other HTTP clients when doing Single Sign-On (SSO). SSO is when the user enters their password a "single" time when they do Ctrl-Alt-Del and the workstation remembers and uses it as necessary to transparently access other resources without prompting the user for a password again.
请注意了Kerberos,像NTLM,也可以用来实现SSO身份验证。当presented以WWW验证:谈判头,IE和其他浏览器将发送SPNEGO包装Kerberos和/或NTLM令牌。在此以后,但首先我会回答是问的问题。
Note that Kerberos, like NTLM, can also be used to implement SSO authentication. When presented with a "WWW-Authenticate: Negotiate" header, IE and other browsers will send SPNEGO wrapped Kerberos and / or NTLM tokens. More on this later but first I will answer the question as asked.
要验证一个NTLMSSP密码回应(像那些连接codeD中的WWW验证:NTLM提交的IE和其他浏览器标题)的唯一方法是用NetrLogonSamLogon(前)DCERPC调用与Active Directory域控制器是一个权威,或有一个信任与权威,目标帐户的NETLOGON服务。此外,要正确保护NETLOGON通信,安全通道加密应使用和需要作为Windows Server 2008的。
The only way to validate an NTLMSSP password "response" (like the ones encoded in "WWW-Authenticate: NTLM" headers submitted by IE and other browsers) is with a NetrLogonSamLogon(Ex) DCERPC call with the NETLOGON service of an Active Directory domain controller that is an authority for, or has a "trust" with an authority for, the target account. Additionally, to properly secure the NETLOGON communication, Secure Channel encryption should be used and is required as of Windows Server 2008.
不用说,也有实施必要的NETLOGON服务调用很少的包。唯一我所知道的是:
Needless to say, there are very few packages that implement the necessary NETLOGON service calls. The only ones I'm aware of are:
-
视窗(当然)
Windows (of course)
桑巴 - Samba是一套用于UNIX软件程序,实现了许多的Windows协议包括必要的NETLOGON服务调用。事实上,桑巴3具有这个名为winbind的与其他程序像PAM和Apache模块可以(并)接口,一个特殊的守护进程。在Red Hat系统,你可以做一个百胜安装Samba,winbind的和百胜安装mod_auth_ntlm_winbind 。但是,这是容易的部分 - 设置这些东西是另一回事
Samba - Samba is a set of software programs for UNIX that implements a number of Windows protocols including the necessary NETLOGON service calls. In fact, Samba 3 has a special daemon for this called "winbind" that other programs like PAM and Apache modules can (and do) interface with. On a Red Hat system you can do a yum install samba-winbind and yum install mod_auth_ntlm_winbind. But that's the easy part - setting these things up is another story.
Jespa - Jespa( http://www.ioplex.com/jespa.html一>)是实现所有必要的NETLOGON服务调用的100%Java库。它还提供了标准的Java接口的实现以各种方式,如与HTTP Servlet过滤程序,SASL服务器,JAAS的登录模块等认证的客户端。
Jespa - Jespa (http://www.ioplex.com/jespa.html) is a 100% Java library that implements all of the necessary NETLOGON service calls. It also provides implementations of standard Java interfaces for authenticating clients in various ways such as with an HTTP Servlet Filter, SASL server, JAAS LoginModule, etc.
要注意的是有一些NTLM身份验证受体不执行必要的NETLOGON服务调用,而是做其他的事情,最终导致失败的一个场景或其他。例如,多年来,办法做到这一点在Java中是从一个叫JCIFS项目NTLM身份验证的HTTP Servlet的过滤器。但是,过滤器使用一个人在这方面的中间人技术,一直负责一个长期存在的打嗝的错误,更重要的是,它不支持NTLMv2。由于这些原因和其他人是定于JCIFS删除。有几个项目已经无意中由包,现在也同样注定了启发。也有很多张贴在Java的论坛,C中的头去$ C $令牌,并挖出域和用户名,但什么都不做实际验证密码响应code片段。我只想说,如果你使用这些code片段中的一个,你还不如用你的裤子下来走动。
Beware that there are a number of NTLM authentication acceptors that do not implement the necessary NETLOGON service calls but instead do something else that ultimately leads to failure in one scenario or another. For example, for years, the way to do this in Java was with the NTLM HTTP authentication Servlet Filter from a project called JCIFS. But that Filter uses a man-in-the-middle technique that has been responsible for a long-standing "hiccup bug" and, more important, it does not support NTLMv2. For these reasons and others it is scheduled to be removed from JCIFS. There are several projects that have been unintentionally inspired by that package that are now also equally doomed. There are also a lot of code fragments posted in Java forums that decode the header token and pluck out the domain and username but do absolutely nothing to actually validate the password responses. Suffice it to say, if you use one of those code fragments, you might as well walk around with your pants down.
当我躲避前面,NTLM是只有几个Windows安全支持提供商(SSP)。还有一个摘要的SSP,Kerberos的过磷酸钙等,但协商SSP,这也被称为SPNEGO,通常的情况是MS使用在自己的协议的客户机提供者。协商SSP实际上只是协商无论是NTLM SSP或Kerberos SSP。需要注意的是Kerberos的只能用在服务器和客户端在目标域帐户和客户端可以与域控制器通信,足以收购Kerberos票据。如果这些条件不满足,则NTLM SSP被直接使用。所以NTLM绝不是过时的。
As I eluded to earlier, NTLM is only one of several Windows Security Support Providers (SSP). There's also a Digest SSP, Kerberos SSP, etc. But the Negotiate SSP, which is also known as SPNEGO, is usually the provider that MS uses in their own protocol clients. The Negotiate SSP actually just negotiates either the NTLM SSP or Kerberos SSP. Note that Kerberos can only be used if both the server and client have accounts in the target domain and the client can communicate with the domain controller sufficiently to acquire a Kerberos ticket. If these conditions are not satisfied, the NTLM SSP is used directly. So NTLM is by no means obsolete.
最后,有些人使用LDAP简单绑定作为一个make移密码验证服务已经提及。 LDAP是不是真的设计成一个认证服务,为此它是没有效率。它也无法使用LDAP实现SSO。 SSO需要NTLM或SPNEGO。如果你能找到一个NETLOGON或SPNEGO受体,你应该使用来代替。
Finally, some people have mentioned using an LDAP "simple bind" as a make-shift password validation service. LDAP is not really designed as an authentication service and for this reason it is not efficient. It is also not possible to implement SSO using LDAP. SSO requires NTLM or SPNEGO. If you can find a NETLOGON or SPNEGO acceptor, you should use that instead.
迈克