NTLM HTTP Authentication - distinguishing between win9x and NT and 2000

Mike Papper mike at digitalpipe.net
Thu Oct 11 20:34:38 GMT 2001 

Hello, I am trying to get the mod_ntlm Apache module running. I have been 
playing with the code and find that I cannot distinguish between a IE browser 
running on win98 and one running on Windows 2000. My Apache server is running 
on red hat 7.1 x86.

The code does the following to distinguish:

if ((strcmp(ntlmssp->host,"")==0) && (strcmp(ntlmssp->domain,"")==0))

I.e., it looks for a blank domain and machine name (host). The problem is 
that it is blank for win98 but is not blank for win NT but IS blank for win 
2000. However, it appears that the info sent from the browser (for win 2000) 
should be processed in the same way as for windows NT.

The question then becomes: is there a way to determine (from the auth string 
sent from the browser) what kind of machine it is/ whether to treat the 
structure like a win98 or a winNT struct?

Here is the code that is executed dependent on if it thinks the data came 
from a win9x or NT client:

-----------------
    if (win9x==0) {
	    ntlm_encode_msg2(ntlm_connection->nonce, &msg);
	    challenge = uuencode_binary(r->pool, (unsigned char *) &msg, 
sizeof(msg));
	}
    else	{
	    ntlm_encode_msg2_win9x(ntlm_connection->nonce, 
&msg_win9x,crec->ntlm_domain);
	    challenge = uuencode_binary(r->pool, (unsigned char *) &msg_win9x, 
NTLM_MSG2_WIN9X_FIXED_SIZE+strlen(crec->ntlm_domain));
	}
--------------------
Possibly looking at the length of these structs or something - the nonce 
member?? would detmine this.
Note: a seg fault occurs if we use the wrong one.


Also:
-----
Note: curiously, only the very first time I used this with my browser running 
on win 2000, it DID send the host and domain - and the authentication worked. 
But every other time after that (even after restarting IE), the browser did 
not send the domain/host info.

Is there a way to force IE to send that info?

If anyone has any ideas, can you send email to:

	mike at digitalpipe.net 

as I am not quite on the list yet (will be soon).


-- 
Mike Papper
Digital Pipe
mike at digitalpipe.net
650-627-5100 ext. 5211

More information about the samba mailing list