Solved

How to accept users from a none trusted domain but still use NTLM

Posted on 2009-05-18
11
358 Views
Last Modified: 2013-12-04
I am using IIS on Windows Server 2003, isapi redirect and Tomcat.

The web server runs in a domain, but users are coming from an other domain.
Not trust relationship is in place. I want to use NTLM, to get the credentials without the user typing them. The tomcat application will be doing the authentication. So I need IIS to pass the credential.

I have trouble to avoid IIS to authenticate the users against the local server. Use the IIS diagnostic tools to debug this. Using WFetch, forcing NTLM with a user/domain/password
that exist on the server IIS let me access the pages. But if I use a user unknown on the server
, then I get an authentication failure.

I have tried to play with the permission, using the group Everyone on the directory, and
enabled the security policy "Let everyone permissions apply to anonymous users".

I have made similar configuration on a Windows XP (within a workgroup) without problem. But on Windows Server I have issues, I am not sure why.

How can I force IIS to accept the credentials as-is without rejecting the user?

Thanks

0
Comment
Question by:zdom
  • 5
  • 3
  • 3
11 Comments
 
LVL 22

Expert Comment

by:cj_1969
ID: 24423754
If the users are coming from another domain then the only way to get this to work, the way you want it to, is to enable BASIC authentication on the site and have the browser pass the credentials in clear text.  As this is a security risk, the acceptable way to mitigate this is to require SSL for this connection to the web server.

Any other method would use MS encryption and you would not be able to get the pw.  Even if you get the ID, unless you are just verifying that, you would not be able to "authenticate" them.
0
 
LVL 1

Expert Comment

by:esambo
ID: 24424152
Please ensure that Tomcat is running on the same server as IIS. Otherwise you will get a "double-hop" (http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx) error where the security tokens will NOT be forwarded to Tomcat which would explain your authentication error.
You can avoid this by running Tomcat and IIS on the same server or by using Kerberos instead of NTLM.
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 250 total points
ID: 24424292
I think I might have missed the gist of the question when I responded the first time ...
Since this server is a member of the domain, as long as it is not a domain controller, then you need to get that out of your head.  I presume you have WIA (Windows integrated authentication) enabled for the directory in question (otherwise you would never grab the user credentials).  Next, you need to grant the NTFS permissions on the directory structure to allow ALL users.  To do this, I believe you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user) access to the direectory ... you might need to grant the guest account access to it.  You will also want to remove the anonymous access from the directory so that it will force IIS to make the users send credentials.
0
 

Author Comment

by:zdom
ID: 24425276
I have IIS and Tomcat on the same system, so I don't have the double hop issue.
As the users are coming from a trusted source, what I really need for now is the username. And yes,  have selected the "Windows Integrated Authentication". So I think you understood very well my issue.

I agree with cj_1969's suggestion, this is probably my problem. Now my question is that I am not sure how to do it.

I log on the box using a user with admin rights, I granted Read & Execute on the directory to the group everyone. You said: "you are going to need to grant EVERYONE from the LOCAL MACHINE access (not domain user)", I think I did that:
I added 'Everyone' in th the Local Security Settings, User Rights Assignment, Access This computer from the network, should I do something else?
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 24425363
You probably still need to enable Windows Integrated Authentication with BASIC authentication in IIS on this directory/web app also.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:zdom
ID: 24426807
I made several tets, maybe that will help figure out this problem.
My current set-up is WIA and Basic are selected.
I use WFetch to sent a request with NTLM auth.

When only WIA and Basic are selected, then I get an error in the IIS logs:
/jakarta/isapi_redirector2.dll - 80 - 401 2

If I also select anonymous access, and use wftech with NTLM to access the site:
- Case 1: using a valid user on the system, I get access, and in IIS's log I see the username
- Case 2: using an invalid user name (coming from an other domain), I get access, in IIS's log I see 'Guest' as the user name.
- Case 3: using internet explorer, I have access, but no username show up in the log

So I assuming that by default IE is not sending the credentials unless in this case,
I config the browser to send login/password  and added the web site to the trusted list.

Do you understand why usernames are converted to Guest?
and why I don't see a user name when I use IE?

0
 
LVL 1

Assisted Solution

by:esambo
esambo earned 250 total points
ID: 24426942
You have to turn off anonymous access. I would also turn off Basic Authentication and only leave Windows Integrated Authentication on.
Accessing a web site configured like that with IE should show a HTTP Status code of 401 (http://en.wikipedia.org/wiki/List_of_HTTP_status_codes) which is the browsers first attempt to connect as anonymous. The HTTP 401 response tells the browser that authentication is necessary for that site. IE will now make a second request to the web server and provide a security token of the currently logged in Windows user.
I also configure my web.config of my ASP.NET web sites to "impersonate" the user which will run the web server request as that user instead of the user with which IIS is configured.
0
 

Author Comment

by:zdom
ID: 24427300
You bring up a good point. I should do the "impersonate" config.
When I remove both basic and anonymous, I get error 401.2
/jakarta/isapi_redirector2.dll - 80 -  401 2 64

0
 
LVL 1

Expert Comment

by:esambo
ID: 24427385
I just looked through one of my own IIS log files:

#Fields: date time cs-method cs-uri-stem cs-uri-query cs-username c-ip sc-status sc-substatus
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 2
2009-05-19 22:51:29 GET /LRRS/jScript.js - - <my ip address> 401 1
2009-05-19 22:51:30 GET /LRRS/jScript.js - <my user ID> <my ip address> 200 0

IE had to make three requests until it finally got the correct HTTP 200 response.

Do you get a HTTP 200 response after your 401.2?
0
 

Author Comment

by:zdom
ID: 24427636
I found out that the network has a component that blocks NTLM, it probably disconnet between the requests. If I route the traffic directly to the bos it works has you indicated. Except I need to impersonate, but that's fine. Thanks guys !
0
 

Author Closing Comment

by:zdom
ID: 31582864
Great support, detailed explanations. They tried to understand the issue and cam up with great information.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
OfficeMate Freezes on login or does not load after login credentials are input.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now