Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test NTLM on Linux > Windows on CI #54104

Closed
wants to merge 5 commits into from
Closed

Test NTLM on Linux > Windows on CI #54104

wants to merge 5 commits into from

Commits on Jun 12, 2021

  1. Fix NTLM authentication from macOS to Windows machines 

    The GSSAPI implementation on macOS has partially broken NTLM implementation. It only supports NTLMv2 with the message integrity code (MIC) as specified by the MS-NLMP specification. The MIC is calculated using HMAC-MD5 authentication code over the exchanged NTLM messages with a key named ExportedSessionKey. The proper generation of ExportedSessionKey requires the implementation to negotiate correct capabilities, namely NTLMSSP_NEGOTIATE_KEY_EXCH and at least one of NTLMSSP_NEGOTIATE_SIGN or NTLMSSP_NEGOTIATE_SEAL flags. By default the macOS implementation negotiates NTLMSSP_NEGOTIATE_KEY_EXCH and sends MIC but fails to set one of the additional flags that would make the key exchange valid. This results in violation of the following part of the NTLM specification:

"A session key MUST always exist to generate the MIC (section 3.1.5.1.2) in the authenticate message. NTLMSSP_NEGOTIATE_ALWAYS_SIGN MUST be set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client."

Adding the GSS_C_INTEG_FLAG flag forces macOS to properly negitiate all the necessary flags (NTLMSSP_NEGOTIATE_ALWAYS_SIGN and NTLMSSP_NEGOTIATE_SIGN) to make the MIC exchange valid. This in turn enables the whole NTLM exchange to be recognized as valid by Windows server side.

The gss-ntlmssp package on Linux interprets the GSS_C_INTEG_FLAG flag as additional negotiation of NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_KEY_EXCH. That should not hurt anything and in fact it may improve security depending on specific configuration. The flag was already specified when NTLM was used by System.Net.Mail.SmtpClient.
    @filipnavara
    filipnavara committed Jun 12, 2021
    Configuration menu
    Copy the full SHA
    03914f7 View commit details
    Browse the repository at this point in the history

  2. Add temporary test to verify NTLM and Negotiate connections from all … 

    …platforms

Notably this is expected to fail on Android and tvOS where GSSAPI is not available.

The test machine is single purpose virtual machine running in Azure with clean Windows Server 2019 installation and all the patches. It hosts IIS with single static page behind an NT authentication. The test account and the machine itself is disposable and does NOT contain any sensitive data. Nevertheless I don't expect this test to be merged.
    @filipnavara
    filipnavara committed Jun 12, 2021
    Configuration menu
    Copy the full SHA
    abf44ce View commit details
    Browse the repository at this point in the history

  3. Use full domain name in test credentials

    @filipnavara
    filipnavara committed Jun 12, 2021
    Configuration menu
    Copy the full SHA
    ea4dc61 View commit details
    Browse the repository at this point in the history

  4. Revert "Fix NTLM authentication from macOS to Windows machines" 

    This reverts commit 03914f7.
    @filipnavara
    filipnavara committed Jun 12, 2021
    Configuration menu
    Copy the full SHA
    26f7880 View commit details
    Browse the repository at this point in the history

  5. Add test run with both domain name variations

    @filipnavara
    filipnavara committed Jun 12, 2021
    Configuration menu
    Copy the full SHA
    46c871a View commit details
    Browse the repository at this point in the history