NTLM authentication

Re: NTLM authentication

"Willy Denoyette [MVP]" <willy.denoyett e@telenet.bewro te in message
news:OZKB41AMHH A.3588@TK2MSFTN GP06.phx.gbl...
This is working perfectly - thanks for the tip.

One final question: is the line "LdapSessionOpt ions so =
ldap.SessionOpt ions;" actually necessary...? Removing it doesn't (seem to)
make any difference...

Re: NTLM authentication

"Mark Rae" <mark@markNOSPA Mrae.comwrote in message
news:ueK3NAMMHH A.3312@TK2MSFTN GP03.phx.gbl...
No, it's not, this is only a snip of a much larger program which uses LdapSessionOpti ons ...
Sorry for the confusion.

Willy.

Re: NTLM authentication

"Willy Denoyette [MVP]" <willy.denoyett e@telenet.bewro te in message
news:eNedvxPMHH A.992@TK2MSFTNG P06.phx.gbl...
Ah right...
No problem - thanks again for the code.

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167985969 .990417.278490@ i15g2000cwa.goo glegroups.com.. .No, please enable account logon auditing in you local policies, and you will see how and who
is authenticating.
If you need to bind using a "domain" account, you need to apply the "domain\use r" (or
"user@domai n" ) syntax for the useriName property, how else would ADSI know which domain
controller stores BOB's credentials?
If you bind like you did, then ADSI assumes "BOB" is a local account, so the bind should
fail if BOB is not a local account or if it's password is not BOBPWD. Note that this bind
succeeds on V1.x of the framework, because here the default authentication type is "None",
which means no authentication check is done at all. Therefore you should specify
AuthenticationT ypes.Secure and not rely on the default because this one is CLR version
dependent.

Willy.

Re: NTLM authentication

Willy,

I am very surpised!!
I have tested with 4 employees in my companies.
My PC is a new one: there is NO local accounts.
They do NOT exist on my PC!!
This is true, this is my OWN PC, I mean I am the person who access this
PC and only me.
If I authenticate as I did againt ADAM with their login/pwd, it works.
If I enter a WRONG pwd, it doesn NOT authenticate (so it is the proof
that the default authentication type is NOT "None".)
And you can beleive me, there is no local users on my PC except:
Administrator, admin, ASPNET, IUSR_BW200120, console_de.

You are saying "ADSI know which domain controller stores BOB's
credentials?", this is a good question, I guess it knows the domain of
the current user so it tries to authenticates BOB with this domain, or
I don't know... But it does

Rod

Willy Denoyette [MVP] wrote:

Re: NTLM authentication

to be clear they come (the 4 employees) on my PC to provide their
logon/pwd to my LOGON function). They do not run the application from
their PC, they run my application from MY PC, and ADAM is on MY PC.

Rod

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1168242607 .530464.16420@s 34g2000cwa.goog legroups.com...
Say that the user is "administra tor" with password "adminpwd", what administrator would be
used to authenticate, the LOCAL admin or the DOMAIN admin,?? According to you it would use
the domain administrator, well, I say it's not.
There must something wrong with your set-up or your code, really.

Please do yourself and us a favor and try to answer the following questions:
- What Framework version are you running on XP?
- Are you logged on into your domain or locally?
- Your DC is running NT4, right? .
- Enable (success and Fail) Logon auditing in your Local Security Policy. Clear the Security
EventLog and watch the security events after each bind. Note that this can' be done on NT4,
so you can only watch the local logon attempts.
- What happens if you run ldp.exe (from the ADAM prompt) and execute:
Connect to localhost port 389 (the defaults)
Bind using NTLM:
enter User (BOB or whatever you consider a valid domain account) and Password, leave
Domain empty
press advanced, select NTLM from the list and press OK
press OK in the Bind dialog
This should fail because authentication will be done to the LOCAL SAM and you said BOB
is non local (which I believe).
Now try the same specifying the domain name, this should succeeds.
- How does your path string looks like? Are you sure you specify the port like this:
DirectoryEntry( LDAP://server:389 ...
where server is the server name running ADAM and 389 the port on which the instance is
listening (here the default)

- Now, use the "domain\\us er" syntax for the username in your DirectoryEntry constructor,
where domain is your logon domain (NT4) and user a domain account. This is the syntax that
makes it possible for the Security Provider to make a distinction between a local account
and a domain account.
- what's the result when running this code?
- and what logon events do you get in your Security log?

Willy.

Re: NTLM authentication

Willy,

here is the firsts answers:
3.0
domain
yes
don't know yet how to do it, I will try this afternoon.
Do you mean on my XP workstation or on the server?
No, It works ;)
And it says "Authentica ted as:GG\BOB" !!

GG is the domain name!! But I didn't enter the domain name in the logon
window, it was empty as you said ("...leave domain empty..."). So it
knows the domain even if I do not provide it!!

Yes
in my C# code I have:
new DirectoryEntry( "LDAP://localhost:50004 ", "BOB","BOBP WD")
ADAM is running on my PC (XP).
The PORT is 50004 (I have installed several instances to do some tests,
then I have remove all of them except the last one which is listening
on 50004)
it authenticates
don't know yet I will answer you this afternoonthanks for your help

Rod

Re: NTLM authentication

Willy,

here the lasts answers.
I have enabled the audit on my XP workstation.
When I use my code (without the domain name), here is the 2 logs I can
see:
FIRST LOG
Successful Network Logon:
User Name: BOB
Domain: GG
Logon ID: (0x0,0x4CB6F9)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BW200120
Logon GUID: {00000000-0000-0000-0000-000000000000}

SECOND LOG
User Logoff:
User Name: BOB
Domain: GG
Logon ID: (0x0,0x4CB6F9)
Logon Type: 3

Does it mean something interresting for you?
GG is my domain (NT4), BW200120 is the name of my workstation.


Rod

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1168259795 .795259.150740@ q40g2000cwq.goo glegroups.com.. .XP, that is where the client is running (and I suppose this is also where ADAM is running,
so I don't know exactly ).
That's why I asked if you were logged on into a domain or locally. When logged on into a
domain, ldp uses the "Domain" name of the interactive user's logon session in this case, but
this will not work if your are logged on locally, just try it. Nor will it work when ADAM is
running on a remote server, because there you won't have a user login session running.

He doesn't know the domain of BOB, he's using the current login domain. So, this works only
if BOB is a user of the same domain, but fails when not (for instance when BOB is a member
of another in a forest. That's why you should always use the "domain\use r" format as
username property. Note that domain here is or the domain name for domain accounts or the
local machine name for local accounts, this to prevent ambiguity.

Yep, see above.
But again, I want to stress some important points. When binding using the ADSI
(System.Directo ryServices) LDAP provider (LDAP://...) you are effectively using the SPNEGO
security provider (well, the ADSI provider does), that means that first Kerberos
authentication will be attempted and when this fails (and it will as NT4 does not support
Kerberos) it will downgrade to use NTLM, this is a slow process you can't even predict which
authentication protocol will be used. depending on the path specified, even a downgrade to
anonymous is possible.
Therefore SPS should never be used to validate user credentials, check the Remarks of
OpenDSObject API (wrapped by SDS.DirectoryEn try) in MSDN to know exactly why. If you can't
use the method described in KB180548, use the System.Director yServices.Proto col

Willy.

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1168262242 .754031.313460@ i15g2000cwa.goo glegroups.com.. .
Important for me, not really, maybe for you?
this says the LSA authenticated BOB as a Domain user on GG with a logon type 3 (network)
using NTLM and the NtlmSsp security provider.
Any failure authentication messages?, guess not, the local LSA running on an NT4 domain
member knows that the (NT4) DC LSA does not have the Kerberos SSP, so he doesn't even use
SPNEGO but NTLM directly.
Anyway, weird combination, using LDAP in a NT4 domain....
Willy.