.net 如何从 WWW-Authenticate: Negotiate header 中查找是否使用了 NTLM 或 Kerberos
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5597573/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to find if NTLM or Kerberos is used from WWW-Authenticate: Negotiate header
提问by IT Hit WebDAV
I am programming a client application in .Net that communicates with server via HTTP.
我正在 .Net 中编写一个客户端应用程序,它通过 HTTP 与服务器进行通信。
I need to set different request buffering options in case of NTLM and Kerberos authorization.
在 NTLM 和 Kerberos 授权的情况下,我需要设置不同的请求缓冲选项。
How to find out if NTLM or Kerberos is used? Is it possible to somehow decode 'WWW-Authenticate: Negotiate' header?
如何确定是否使用了 NTLM 或 Kerberos?是否有可能以某种方式解码“WWW-Authenticate: Negotiate”标头?
回答by Taras Kozubski
You will find answer here.
你会在这里找到答案。
Short answer is:
简短的回答是:
1.Capture some successfully authorized request using Fiddler tool.
2.Choose "Inspectors" -> "Headers" tab.
3.Pay attention at "Cookies / Login" section, "Authorization" header.
If the Authorization token begins with "YII" then Kerberos is used, but if it begins with "TlR" then Kerberos is not used.
如果授权令牌以“YII”开头,则使用 Kerberos,但如果它以“TlR”开头,则不使用 Kerberos。
For example Kerberos:
例如 Kerberos:
Authorization: Negotiate YIIVDAYGKwYBE...
Not Kerberos:
不是 Kerberos:
Authorization: Negotiate TlRMTVNTUA...
回答by Edward Thomson
Parsing a Negotiate header is sort of a tedious exercise as it's built using ASN.1 DER.
解析 Negotiate 头是一种乏味的练习,因为它是使用 ASN.1 DER 构建的。
That said, you may not necessarily need to decode this however to make a good assumption about the payload. While there is a mechanism in GSSAPI for NTLM (more on that below), in my experience clients do not actually use it, they simply send NTLM headers. In my (admittedly strictly controlled) environment, if I see Authorization: NTLM ...then this is guaranteed to be NTLM. If I see Authorization: Negotiate ...then this is guaranteed to be Kerberos.
也就是说,您可能不一定需要对其进行解码才能对有效载荷做出很好的假设。虽然 GSSAPI 中有一种用于 NTLM 的机制(更多内容见下文),但根据我的经验,客户实际上并不使用它,他们只是发送 NTLM 标头。在我的(公认严格控制的)环境中,如果我看到Authorization: NTLM ...那么这肯定是 NTLM。如果我看到Authorization: Negotiate ...那么这肯定是 Kerberos。
Strictly speaking, you should look at the mechanism list in the header to determine whether the mechanism was NTLM or Kerberos. I would recommend either using an off-the-shelf ASN.1 decoder, or looking at Microsoft's decoding example. You're going to want to look for the SPNEGO OID (1.3.6.1.5.5.2), then look for the mechanism type sequence within that. The first mechanism in the sequence corresponds to the response token payload, so you can look at that OID to determine the mechanism. Some known OIDs for Kerberos are:
严格来说,您应该查看标头中的机制列表,以确定该机制是 NTLM 还是 Kerberos。我建议要么使用现成的 ASN.1 解码器,要么查看 Microsoft 的解码示例。您将要查找 SPNEGO OID ( 1.3.6.1.5.5.2),然后在其中查找机制类型序列。序列中的第一个机制对应于响应令牌负载,因此您可以查看该 OID 以确定该机制。Kerberos 的一些已知 OID 是:
1.2.840.113554.1.2.2 (Kerberos 5)
1.2.840.48018.1.2.2 (Microsoft Kerberos 5)
1.3.5.1.5.2 (Kerberos 5 OID 2)
To my knowledge, the only OID for NTLM is (referenced from this blog):
据我所知,NTLM 的唯一 OID 是(从此博客中引用):
1.3.6.1.4.1.311.2.2.10 (NLMP NTLM)
回答by Michael-O
If the server advertises to user Negotiate you are free to use Kerberos, NTLM oder something is supported by SPNEGO. Though, there is no guarantee that the server supports every wrapped auth method sent by the client.
如果服务器向用户 Negotiate 做广告,您可以自由使用 Kerberos,SPNEGO 支持 NTLM 或某些东西。但是,不能保证服务器支持客户端发送的每个封装的身份验证方法。
回答by user1133275
Yes; just Base64 decode it and you will see "NTLM" or "HTTP".
是的; 只需对它进行 Base64 解码,您就会看到“NTLM”或“HTTP”。
C#
C#
v = BitConverter.ToString(Convert.FromBase64String(v.Replace("Negotiate: ","")));
if (v.indexOf("NTLM") > -1) {
//...
}
