Forum Discussion

Kraig_52305's avatar
Kraig_52305
Icon for Nimbostratus rankNimbostratus
Nov 20, 2013

Negotiated Login Using NTLM

Without using Kerberos I would like to have Windows domain users using Internet Explorer automatically provide a username and password so APM can perform a group lookup and authenticated the user. If they fail the group lookup or authentication they would be directed to a form to login. I have no problems with the group lookup if APM has the username in a variable or the fallback to a form. What I am having problems with is I am unable to get the 401 negotiate to send APM the NTML username and password.

 

For clarification I would like the flow to look like this. HTTP 401, browser automatically presents username and password (NTLM?) then APM looks up group membership based on username. If the user is in the group APM will then authenticate via LDAPS. If the group lookup fails or authentication fails the fallback will be a login form.

 

APM
deployment
microsoft
security

5 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Nov 20, 2013

    Unfortunately, that flow is not possible - there are some technical issues with the way NTLM works and this does not allow us to fall back to forms-based after failed NTLM attempt.

     

    That said, I am still trying to understand the use case - are you authenticating users against the same directory backend? Let's just say, for example, that what you were asking above was possible, and you could get to a login page after failed NTLM attempt - what would that user be authenticated against? Once I understand what exactly you are trying to achieve, I can hopefully offer a workable solution.

     

    • Kraig_52305's avatar
      Kraig_52305
      Icon for Nimbostratus rankNimbostratus
      Nov 21, 2013
      What I am really looking for is to obtain the username of anyone hitting a site. From that username I can do group lookups. The use case is shared work stations hit sites that allow all authenticated users and there is no way to tell what user is actually hitting the site. When a standard user account is seen pass the user through. If the account is a shared work station account I need to force a login with a unique login and SSO them to the server. This way all interaction with the site are with the unique account and the machine account.
  • Michael_Koyfman's avatar
    Michael_Koyfman
    Icon for Cirrocumulus rankCirrocumulus
    Nov 20, 2013

    Unfortunately, that flow is not possible - there are some technical issues with the way NTLM works and this does not allow us to fall back to forms-based after failed NTLM attempt.

     

    That said, I am still trying to understand the use case - are you authenticating users against the same directory backend? Let's just say, for example, that what you were asking above was possible, and you could get to a login page after failed NTLM attempt - what would that user be authenticated against? Once I understand what exactly you are trying to achieve, I can hopefully offer a workable solution.

     

    • Kraig_52305's avatar
      Kraig_52305
      Icon for Nimbostratus rankNimbostratus
      Nov 21, 2013
      What I am really looking for is to obtain the username of anyone hitting a site. From that username I can do group lookups. The use case is shared work stations hit sites that allow all authenticated users and there is no way to tell what user is actually hitting the site. When a standard user account is seen pass the user through. If the account is a shared work station account I need to force a login with a unique login and SSO them to the server. This way all interaction with the site are with the unique account and the machine account.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Nov 22, 2013

    In that case, you can try to run the Windows Info checker, which will inspect and capture that user account name which is currently logged into windows. The value will be stored in the session.windows_info_os.last.user. Then, you can check the value of that variable and branch out into NTLM-based or forms-based auth, depending on whether it is a shared account or not.