[Indy][Urgent] TidHTTP and Integrated Windows authentication
Okay... I have a webserver that's controlled by Spikey the system administrator, God of Paranoia... He allows me access to one single URL on the server, on port 80. And to access this URL I will also have to authenticate myself.
So i used "Basic authentication" with my tidHTTP component on the client but that did not please Him. He demanded that I support "Digest authentication" and "Integrated Windows authentication" in my client also. So now I am back to studying again...
What I have: a client application that asks for a username and password of a Windows user account that can be authenticated on this server. I have no control over the webserver in any way. Yet I need to call this URL on the webserver to make sure the user account entered by the client is a valid user account on the server. And I MUST do this by using this URL since it will control who can be authenticated and who still has no control. And the use of the Indy 9 TidHTTP component is another requirement.
It should not be too difficult but I am in a hurry about this. Because once I'm done with this and shown Spikey that I can access his server this way, he will make things a bit more complicated by introducing a proxy... But I think I can easily handle that proxy thingie... My current problem is authentication so that needs to be solved now. I'm not interested in proxy issues for now...
So i used "Basic authentication" with my tidHTTP component on the client but that did not please Him. He demanded that I support "Digest authentication" and "Integrated Windows authentication" in my client also. So now I am back to studying again...
What I have: a client application that asks for a username and password of a Windows user account that can be authenticated on this server. I have no control over the webserver in any way. Yet I need to call this URL on the webserver to make sure the user account entered by the client is a valid user account on the server. And I MUST do this by using this URL since it will control who can be authenticated and who still has no control. And the use of the Indy 9 TidHTTP component is another requirement.
It should not be too difficult but I am in a hurry about this. Because once I'm done with this and shown Spikey that I can access his server this way, he will make things a bit more complicated by introducing a proxy... But I think I can easily handle that proxy thingie... My current problem is authentication so that needs to be solved now. I'm not interested in proxy issues for now...
ASKER
Well, I'm hoping that at least one person has done this before. But apparantly it's a bit more difficult than this... I did find this link:
http://localhost/iishelp/iis/misc/default.asp?jumpurl=../htm/core/iiabasc.htm#challenge
and wow... It's a local system page that I didn't know about. :-) If you have IIS 5 on your system, it will probably exist on your system too... :-) Unfortunately, now I'm at home and the version at home is in Dutch.
Well, I have to start digging into NTLM and Kerberos because if no one else knows the answer, I will have to find it myself in the next four days... :-(
Oh, well... I'm a trained expert. I have done the impossible before... ;-)
http://localhost/iishelp/iis/misc/default.asp?jumpurl=../htm/core/iiabasc.htm#challenge
and wow... It's a local system page that I didn't know about. :-) If you have IIS 5 on your system, it will probably exist on your system too... :-) Unfortunately, now I'm at home and the version at home is in Dutch.
Well, I have to start digging into NTLM and Kerberos because if no one else knows the answer, I will have to find it myself in the next four days... :-(
Oh, well... I'm a trained expert. I have done the impossible before... ;-)
From the doc:
Digest authentication offers the same functionality as Basic authentication. However, Digest authentication
is a security improvement in the way that a user's credentials are sent across the network. Digest
authentication transmits credentials across the network as an MD5 hash, also known as a message digest,
where the original user name and password cannot be deciphered from the hash. Digest authentication is
available to Web Distributed Authoring and Versioning (WebDAV) directories.
Integrated Windows authentication (formerly called NTLM, also referred to as Windows NT Challenge/Response
authentication) is a secure form of authentication because the user name and password are hashed before
being sent across the network. When you enable Integrated Windows authentication, the user's browser
proves its knowledge of the password through a cryptographic exchange with your Web server, involving
hashing.
Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. If Active
Directory Services is installed on a Windows 2000 or later domain controller and the user's browser supports
the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication
is used.
The Kerberos v5 authentication protocol is a feature of the Windows 2000 Distributed Services architecture.
For Kerberos v5 authentication to be successful, both the client and the server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about Kerberos
and NTLM, see the Windows XP online documentation.
Digest authentication offers the same functionality as Basic authentication. However, Digest authentication
is a security improvement in the way that a user's credentials are sent across the network. Digest
authentication transmits credentials across the network as an MD5 hash, also known as a message digest,
where the original user name and password cannot be deciphered from the hash. Digest authentication is
available to Web Distributed Authoring and Versioning (WebDAV) directories.
Integrated Windows authentication (formerly called NTLM, also referred to as Windows NT Challenge/Response
authentication) is a secure form of authentication because the user name and password are hashed before
being sent across the network. When you enable Integrated Windows authentication, the user's browser
proves its knowledge of the password through a cryptographic exchange with your Web server, involving
hashing.
Integrated Windows authentication uses Kerberos v5 authentication and NTLM authentication. If Active
Directory Services is installed on a Windows 2000 or later domain controller and the user's browser supports
the Kerberos v5 authentication protocol, Kerberos v5 authentication is used; otherwise, NTLM authentication
is used.
The Kerberos v5 authentication protocol is a feature of the Windows 2000 Distributed Services architecture.
For Kerberos v5 authentication to be successful, both the client and the server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about Kerberos
and NTLM, see the Windows XP online documentation.
ASKER
Yep. I've read that documentation too... I'm even browsing through two books and some C++ code to see how to do this in Delphi. Not an easy thing. Too bad it's hard to find a working example to do this... I'm amazed that no one else has even looked at this... Or maybe Indy 10 will offer this feature... (Will be out soon, but still a bit too late...)
Or perhaps I just have to look deeper in the WinINet unit and related functions...
Or perhaps I just have to look deeper in the WinINet unit and related functions...
XMLHTTP uses Digest Authentication, maybe you should try that?
Need help with that one? I have been writing a Hotmail Client that uses XMLHTTP.
Need help with that one? I have been writing a Hotmail Client that uses XMLHTTP.
ASKER
I can't use XMLHTTP, unfortunately. I have to support at least Windows 98 and NT with this application. Preferably even Windows 95. Maybe even support Kylix later on. Thus I try to keep away as many Windows-specific things as possible. Line including ActiveX controls...
Workshop_Alex:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER
CleanupPing:
Refund, please. No answer has brought me to any solution yet.
Refund, please. No answer has brought me to any solution yet.
Alex, Indy9 supports Digest authentication if it hasn't been suggested already.
ASKER
Eddie, I haven't noticed anything about Digest authentication in Indy. At least, not in the client-side components. Problem is, I am not allowed to do anything on the server for this problem. And on the client side I need to use my own edit-controls for username and password and must prevent at all costs that Windows will pop up some dialog asking for the user credentials. And it's that last thing that's bugging me the most.
It is quite simple. I have the URL http://Spikeys.Hell.org/SomePage.html and all I have to do is see if the user can access this page. If he can, he is validated for the client system and can use the client application. If not, he'll just have to try again. The client application will access the server again through SOAP with the credentials the user provided before so it is a bit more than just user validation. But it is the first validation step over the Internet that is most important.
In the end, the application will allow a user in Europe to access company data on a server in the US just over the Internet, through SOAP. But on a secure server, SOAP pops up with a dialog asking for credentials. Unfortunately, the user doesn't connect directly to the US-based server. He connects to a central system on his own site through COM+ and COM+ will call the SOAP components. But if SOAP asks for the user credentials, who will enter them on this COM+ server that might be locked away somewhere between the rest of their server-park?
Yeah, the application is quite complex... Or at least the way data travels around in this system is complex. It is even worse since the US server requires the user credentials to impersonate the user and gain access to other system parts as this user...
It is quite simple. I have the URL http://Spikeys.Hell.org/SomePage.html and all I have to do is see if the user can access this page. If he can, he is validated for the client system and can use the client application. If not, he'll just have to try again. The client application will access the server again through SOAP with the credentials the user provided before so it is a bit more than just user validation. But it is the first validation step over the Internet that is most important.
In the end, the application will allow a user in Europe to access company data on a server in the US just over the Internet, through SOAP. But on a secure server, SOAP pops up with a dialog asking for credentials. Unfortunately, the user doesn't connect directly to the US-based server. He connects to a central system on his own site through COM+ and COM+ will call the SOAP components. But if SOAP asks for the user credentials, who will enter them on this COM+ server that might be locked away somewhere between the rest of their server-park?
Yeah, the application is quite complex... Or at least the way data travels around in this system is complex. It is even worse since the US server requires the user credentials to impersonate the user and gain access to other system parts as this user...
I am working on adding the WebDAV extensions to idHTTP and they require digest authentication.
Search the Borland Newsgroups for "digest and ^delphi and ^winsock" (without the quotes) on
http://www.tamaracka.com. There are lots of messages on the subject of handling digest auth
with Indy.
Search the Borland Newsgroups for "digest and ^delphi and ^winsock" (without the quotes) on
http://www.tamaracka.com. There are lots of messages on the subject of handling digest auth
with Indy.
You can also try the AToZedSoftware http newsgroup at
server: news.atozedsoftware.com
group: atozedsoftware.indy.protoc
server: news.atozedsoftware.com
group: atozedsoftware.indy.protoc
The Indy newsgoups at AToZed also have a web interface, although it is currently offline:
http://www.atozed.com/WebForums.html
http://www.atozed.com/WebForums.html
ASKER
Thanks, Eddie. But unfortunately not very helpful yet. I am examining the Indy 10 components right now and they offer a TIdDigestAuthentication component that can be used with the TidHTTP component. But I still have to check the impact of replacing Indy 9 with Indy 10 in my projects. Besides, Indy 10 is still a beta product so not reliable enough to be used in a productional environment...
Anyway, solving this problem has been delayed and I don't need an immediate solution right now. For now, when the user enters the wrong credentials, he will just get an annoying dialog box that asks his credentials again. I now have the SOAP server return the user name as the first call. (But I was trying to avoid doing this.)
Anyway, solving this problem has been delayed and I don't need an immediate solution right now. For now, when the user enters the wrong credentials, he will just get an annoying dialog box that asks his credentials again. I now have the SOAP server return the user name as the first call. (But I was trying to avoid doing this.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh, yeah, I do know that NTLM is working, although I haven't tested it...
Hi there Workshop_Alex.
Would you be able to make available the methods you have implemented so far for webdav?
Would you be able to make available the methods you have implemented so far for webdav?
you have bad luck, i guess. TIdHttp implements only one authentification method : basic.
Any other method must be implemented. But there is a good interface for this implementation (Take a look to the docu) Probably it will be a good idea to make a google searh, maybe someone has opend the auth implementation you need.
If not you should try to find docu or find out what the IIS and the IE are doing. Therefore i'd write a debug web server:
1. connect yourself to an IIS and capture the resposnse of the server
2. write a small App useing the TIDHttpServer and let him send the IIS's response
3. connect to you little new server with an IE and capture his requests
go ahead this way until you understood what 2 do
hope that helps a little