Forum Discussion

kjc's avatar
kjc
Icon for Nimbostratus rankNimbostratus
Aug 10, 2010

How to accept Kerberos credentials but not NTLM

Are you security minded? You think it is high time that NTLM went away?

 

You have an SSO product that can use the IIS windows-domain user authentication, but NTLM gives you heartburn and you'd like to IIS only accept kerberos?

 

You've searched high and low and found some different methods of accepting these sessions from trusted partners or browsers but don't feel that it adequately addresses the NTLM problem and blatantly ignores a growing segment of the population using Mac OSX and Linux that could do kerberos of given a chance?

 

 

So what I were to tell you there is a simple way to fix your broken IIS server? Would you jump for joy?

 

 

The caveats are--

 

1. Your alternative OSes should be joined to the domain and have kerberos tickets for the users

 

2. Your alternative browsers should be configured to do the kerberos/negotiate method of authentication

 

-- or --

 

you need an alternate way to log in those users to your SSO platform who fail the kerberos test (an SSL form)

 

 

You probably want the alternate login method anyway.

 

 

We use the Cafesoft Cams SSO system. It's dependable, extendable, and affordable compared to some others (Siteminder).

 

 

So here's the deal-- I have my SSO all setup with a login page that is SSL secured form based. I want to add the one-click log-me-in with the user's desktop credentials if they exist on Windows, Mac, or Linux.

 

I have the developer create a .NET login page that interacts with Cams to log them in. It's working beautifully and now it is time to prevent NTLM requests and use the SSL form if they don't have a kerberos ticket.

 

 

Here's my simple iRule:

 

when HTTP_RESPONSE {

 

if { [HTTP::header WWW-Authenticate] contains "NTLM"} {

 

HTTP::header replace WWW-Authenticate "Negotiate" }

 

else { return } }

 

 

 

Basically, the braindead IIS server sends back two WWW-Authenticate headers that tell the browser "Hey, I accept Negotiate and NTLM". This iRule replaces the NTLM value with a second Negotiate. It would be nice to just delete the NTLM 'line' but that resulted in deleted both values, so I settled with the client getting Negotiate twice. It is working perfectly.

 

 

Clients that do not support Negotiate are shown the 401 error page from the IIS server. I would suggest doing a custom page that links them back to your SSL login page.

 

 

It's not perfect. A local user (no kerberos) on a Windows box using IE automatically offers his base64 credentials like NTLM response. The same user does not in Firefox with config changes that enables kerberos/negotiate, so it's an IE thing.

 

 

What do you think? Do you see any improvements or flaws?

 

 

application delivery
dev
devops
iRules
No RepliesBe the first to reply