NTLM HTTP Authentication - distinguishing between win9x and NT and 2000
Mike Papper
mike at digitalpipe.net
Thu Oct 11 20:34:17 GMT 2001
Hello, I am trying to get the mod_ntlm Apache module running. I have been
playing with the code and find that I cannot distinguish between a IE browser
running on win98 and one running on Windows 2000. My Apache server is running
on red hat 7.1 x86.
The code does the following to distinguish:
if ((strcmp(ntlmssp->host,"")==0) && (strcmp(ntlmssp->domain,"")==0))
I.e., it looks for a blank domain and machine name (host). The problem is
that it is blank for win98 but is not blank for win NT but IS blank for win
2000. However, it appears that the info sent from the browser (for win 2000)
should be processed in the same way as for windows NT.
The question then becomes: is there a way to determine (from the auth string
sent from the browser) what kind of machine it is/ whether to treat the
structure like a win98 or a winNT struct?
Here is the code that is executed dependent on if it thinks the data came
from a win9x or NT client:
-----------------
if (win9x==0) {
ntlm_encode_msg2(ntlm_connection->nonce, &msg);
challenge = uuencode_binary(r->pool, (unsigned char *) &msg,
sizeof(msg));
}
else {
ntlm_encode_msg2_win9x(ntlm_connection->nonce,
&msg_win9x,crec->ntlm_domain);
challenge = uuencode_binary(r->pool, (unsigned char *) &msg_win9x,
NTLM_MSG2_WIN9X_FIXED_SIZE+strlen(crec->ntlm_domain));
}
--------------------
Possibly looking at the length of these structs or something - the nonce
member?? would detmine this.
Note: a seg fault occurs if we use the wrong one.
Also:
-----
Note: curiously, only the very first time I used this with my browser running
on win 2000, it DID send the host and domain - and the authentication worked.
But every other time after that (even after restarting IE), the browser did
not send the domain/host info.
Is there a way to force IE to send that info?
If anyone has any ideas, can you send email to:
mike at digitalpipe.net
as I am not quite on the list yet (will be soon).
--
Mike Papper
Digital Pipe
mike at digitalpipe.net
650-627-5100 ext. 5211
More information about the samba-ntdom
mailing list