NTLM authentication

[webrod]

Dear All,

let's say I have a web service.
I would like to authenticate users who try to access it.
I am on a winnt server so I will have to use NTLM but I don't want to
use IIS settings.

Is there a way to authenticate a user using WSE 3.0 against NTLM??

All the samples I have found on the web provide a solution based on
IIS.

Thanks for your answer

Rod

 

[Mark Rae]

let's say I have a web service.
I would like to authenticate users who try to access it.
I am on a winnt server so I will have to use NTLM but I don't want to
use IIS settings.

Is there a way to authenticate a user using WSE 3.0 against NTLM??

All the samples I have found on the web provide a solution based on
IIS.

Is the webservice on the public internet...?

 

[webrod]

Is the webservice on the public internet...?
no, not all.

 

[Mark Rae]

no, not all.

OK - well, that certainly makes it easier.

So, then, presumably a user logs onto their workstation with their Windows
domain userid & password and then runs a desktop app (or maybe browses the
corporate intranet) which references a webservice running on a webserver in
the same domain as the user...? Is this right...?

What do you want to "know" next? Once you know what you need to know, what
do you need to do with that information...?

 

[Willy Denoyette [MVP]]

Dear All,

let's say I have a web service.
I would like to authenticate users who try to access it.
I am on a winnt server so I will have to use NTLM but I don't want to
use IIS settings.

Is there a way to authenticate a user using WSE 3.0 against NTLM??

All the samples I have found on the web provide a solution based on
IIS.

Thanks for your answer

Rod

AFAIK WSE 3.0 does not support NTLM, why not use Kerberos?

Willy.

 

[webrod]

thanks you very much for your answer Mark.

What I want to know is a way to check a user credential against a NTLM
database.

Suppose I log on a workstation with BOB, then I want to start my .NET
application which access a web service as ALICE user.
My application will open a LOGIN form, then I want to provide ALICE
credential (login/pwd) to the web service.
Then my WS needs to check that the user (ALICE) really exists and check
the password.
(and if possible it should check the roles for authorization purpose
but I don't know yet if you can associate a role to a user with NTLM).

Actually, I am starting a project where my cutomers can have:
- AD (I use kerberos) => this is done
- ADAM (I do a LDAP bind against ADAM) => this is done
- winnt: I need to use NTLM (??) => this is in progress

I don't want to use IIS setting, I would like to use something like
WSE.

Rod

 

[webrod]

AFAIK WSE 3.0 does not support NTLM, why not use Kerberos?


Willy,

I think you're right, I read somewhere that NTLM is not a public
protocol, that's why it is not supported by WSE.
So I am still wondering how I can check a user credential against a
NTLM database without IIS.

Is there something like a LDAP bind (as I did with ADAM)??

Thanks for your help.

Rod

 

[webrod]

AFAIK WSE 3.0 does not support NTLM, why not use Kerberos?

I forgot to answer to your question.
I can't use kerberos because I am on a Winnt system based on NTML not
kerberos.
Or I misundertsood something again...??

Rod

 

[Willy Denoyette [MVP]]

Willy,

I think you're right, I read somewhere that NTLM is not a public
protocol, that's why it is not supported by WSE.

Well, WSE3.0 is just an interim solution, WCF is the way to go and this one supports NTLM
authentication.

So I am still wondering how I can check a user credential against a
NTLM database without IIS.

NTLM database?
You mean authenticating using NTLM.

Is there something like a LDAP bind (as I did with ADAM)??

ADAM does not hold Windows identities, so can't be used here.


Willy.

 

[Willy Denoyette [MVP]]

I forgot to answer to your question.
I can't use kerberos because I am on a Winnt system based on NTML not
kerberos.

I don't get it, this is a local intranet and you are only running SQL on a server which is
not a Domain member and you want to authenticate windows (local )accounts using NTLM (that
is SQL integrated security)?
Well, I'm afraid the answer is - you can't use WSE 3.0 without IIS hosting for this. One
(the best long term) option is to use WCF, which supports SSPI and SPNEGO, that means it can
authenticate using Kerberos and fallback to NTLM when not available.
Another option is to drop your DAL into a COM+ server application (using
System.EnterpriseServices) and use ADAM with LDAP "authentication" in order to implement
role based authorization. The COM+ server can run with "Windows" account credentials having
access to SQL server. Note that you'll need to use SSL authentication between the client and
the WSE service, if you want to make this secure, it makes littel sense to protect SQL
access when one can catch the clear text password traveling between client and server.



Willy.

 

[Mark Rae]

- winnt: I need to use NTLM (??) => this is in progress

I don't want to use IIS setting, I would like to use something like
WSE.

Ah, in which case, I think you might be out of luck as I don't believe WSE
supports NTLM authentication - have you considered WCF...?

 

[webrod]

Well, WSE3.0 is just an interim solution, WCF is the way to go and this one supports NTLM

authentication.

okay so I will read more information about WCF

NTLM database?
You mean authenticating using NTLM.

actually I don't know how to say it
In Winnt, I guess the users are stored in a SAM database, right?
So is there a way to check a user credential against a SAM database??
Or, how can I check a user credential on winnt?

ADAM does not hold Windows identities, so can't be used here.

OK, I don't use ADAM, it was just an example
Actually I use ADAM only if the customer who will buy the product do
not have a domain (workgroup) but this is another problem.
In my current configuration, this is a WinNT system, so I do not have
AD nor ADAM.
I have a SAM database and I was wondering If I could bind the SAM to
authenticate a user (like I would do it with ADAM).

SUopose you have this credential : ALICE / ALICE_PWD
How do you do to check if this user (ALICE) really exist in the domain
(in the SAM database) and if the password (ALICE_PWD) is the right
one??
Maybe it's impossible, I don't know.

Thanks again for your time and your answer.
Rod

 

[webrod]

I don't get it, this is a local intranet and you are only running SQL on a server which is
not a Domain member and you want to authenticate windows (local )accounts using NTLM (that
is SQL integrated security)?

SQL? Why are we speaking about SQL?

Actually, I have users who belong to a domain (WinNT).
So I have users in the SAM database.
Now what I want is to check that a user really exists in this DB with a
..NET script.
So I would like a way to query the SAM database OR to bind the SAM
database.

Well, I'm afraid the answer is - you can't use WSE 3.0 without IIS hosting for this.

Yes, IIS is hosting my Web Service (the WS has to check the user
credential to provide access to the WS or not).
I am not saying that IIS is not hosting my WS, I am just saying that I
would like to have a solution without using IIS settings.

Rod

 

[webrod]

Ah, in which case, I think you might be out of luck as I don't believe WSE
supports NTLM authentication - have you considered WCF...?

not yet, you're right. Regarding WSE, it was an example. We can forget
it.

Rod

 

[Mark Rae]

Actually, I have users who belong to a domain (WinNT).
So I have users in the SAM database.
Now what I want is to check that a user really exists in this DB with a
.NET script.
So I would like a way to query the SAM database OR to bind the SAM
database.

Is *that* all you want to do...? I.e. validate a login and password...?

Why don't you just do this:

using System.DirectoryServices;

public static bool Logon(string pstrDomain, string pstrUser, string
pstrPassword)
{
try
{
using (DirectoryEntry objADEntry = new DirectoryEntry("LDAP://" +
pstrDomain, pstrUser, pstrPassword))
{
return !objADEntry.NativeObject.Equals(null);
}
}
catch (System.Runtime.InteropServices.COMException)
{
return false;
}
catch (Exception)
{
throw;
}
}

 

[Willy Denoyette [MVP]]

SQL? Why are we speaking about SQL?

Sorry got confusd by the NTLM database ;-)

Actually, I have users who belong to a domain (WinNT).
So I have users in the SAM database.

Yep, NT4 Domains shiver.

Now what I want is to check that a user really exists in this DB with a
.NET script.
So I would like a way to query the SAM database OR to bind the SAM
database.

Don't consider the SAM a dtabase you can access, it's part of the NT security system and
actualy it's the security system (LSA)that performs the check by authenticating, just like
IIS is doing.

Yes, IIS is hosting my Web Service (the WS has to check the user
credential to provide access to the WS or not).
I am not saying that IIS is not hosting my WS, I am just saying that I
would like to have a solution without using IIS settings.

IIS has everything in place to authenticate (provided it is correctly configured) a user
account using NTLM, something WSE is lacking.

Willy.

Willy.

 

[Willy Denoyette [MVP]]

Is *that* all you want to do...? I.e. validate a login and password...?

Why don't you just do this:

using System.DirectoryServices;

public static bool Logon(string pstrDomain, string pstrUser, string pstrPassword)
{
try
{
using (DirectoryEntry objADEntry = new DirectoryEntry("LDAP://" + pstrDomain,
pstrUser, pstrPassword))
{
return !objADEntry.NativeObject.Equals(null);
}
}
catch (System.Runtime.InteropServices.COMException)
{
return false;
}
catch (Exception)
{
throw;
}
}

Won't work, the OP is in a Windows NT4 domain not an ActiveDirectory domain, there is no
LDAP server on the DC. Also, using above (DirectoryServices aka. ActiveDirectory) to
authenticate a windows user is bad practice, I keep saying this.

Willy.

 

[Mark Rae]

Won't work, the OP is in a Windows NT4 domain not an ActiveDirectory
domain, there is no LDAP server on the DC.

My mistake - apologies for not reading the OP closely enough...

Also, using above (DirectoryServices aka. ActiveDirectory) to
authenticate a windows user is bad practice, I keep saying this.

Why? What would you recommend instead...?

 

[webrod]

Don't consider the SAM a dtabase you can access, it's part of the NT security system and

actualy it's the security system (LSA)that performs the check by authenticating, just like
IIS is doing.

OK, so How can I ask LSA to authenticate a user credential?

IIS has everything in place to authenticate (provided it is correctly configured) a user
account using NTLM, something WSE is lacking.

ok, but what If I don't want to use IIS settings?
Actually, I tell you that because we are in the first days of the
projects.
We are sure that the client and the server will use Microsoft
technology, but maybe we are going to use JBOSS (!!) on the server side
or another server, but not a Microsoft one (so maybe we will not use
IIS).

That's why I would like to find a solution without using IIS settings
even if, today, we are using IIS.

So, maybe the solution is LSA?

Rod

 

[Willy Denoyette [MVP]]

Sorry got confusd by the NTLM database ;-)

Just to eliminate possible confusion, you have a NT4 domain and with a number of domain
members (servers/workstations) right?
You have WSE 3.0 clients connecting to WSE 3.0 services over a local network, and you want
to authenticate the client using NTLM, this because Kerberos is not an option (NT4 domain).
Now, WSE does not support NTLM network authentication , but you would like to authenticate
the clients (windows users). Well, network authentication is not possible at all, simply
there is no authentication handshake between the WSE server and client.
The only possibility you have to validate a user in such scenario is by passing the username
and password from the client to the server and let the server perform the "validation" of
the credentials supplied, but keep in mind that passing clear text secrets is insecure.
Validating the user at the webservice can be done by calling the Win32 API LogonUser(),
using the username, password and domain collected from the client as arguments. Note that
calling LogonUser has a serious drawback, it needs TCB privileges on W2K and lower. Note
also that the purpose of LogonUser is to authenticate and return an access token which can
be used to impersonate the caller, but I don't read this is a requirement.
You could also opt for a simple authentication scheme against a local identity store like
ADAM (sure this needs W2K3 or XP SP2), you could even authenticate against the NT4 DC over
NTLM using a ProxyUserObject in ADAM , but I seriously doubt this is all worth the trouble
you are not authenticating end to end anyway.

Willy.




Willy.