3

We use NTLM auth to access an ASP.net web services from our MonoTouch app and everything works fine.

One of our customers uses the same app and the NTLM auth fails from our app but works from the iPad's Safari browser.

Looking at the packet flow from the customer, the server does not return NTLMSSP_CHALLENGE, when our app sends NTLMSSP_NEGOTIATE message.

Looking the differences between our app's NTLMSSP_NEGOTIATE message and iPad's Safari same message Our MT app sets the NTLM flags to 0xb203 and Safari sets this to 0x88207. The NegotiateNtlm2Key is set to 0 in our app and 1 in Safari Our app also sends the calling workstation domain and name fields whereas Safari send both as null.

The client's server is Windows Server 2003 and they also use Kerberos as their main authentication scheme and fall back on NTLM.

Would setting the NegotiateNtlm2Key flags in Mono.Security.Protocol.Ntlm.NtlmFlags help?

César
  • 9,939
  • 6
  • 53
  • 74
SoftwareWeaver
  • 95
  • 1
  • 7

2 Answers2

4

NTLMv2 Session and NTLMv2 Authentication has now been implemented in Mono (mono/master commit 45745e5).

See this article for a description of the different NTLM versions.

By default, Mono now uses NTLMv2 Session Authentication whenever the server supports it and falls back to LM & NTLM otherwise.

The default behavior can be configured by using the new Mono.Security.Protocol.Ntlm.Type3Message.DefaultAuthLevel property in Mono.Security.dll (see Type3Message.cs and NtlmAuthLevel.cs in mcs/class/Mono.Security/Mono.Security.Protocol.Ntlm).

This is similar to the Lan Manager Authentication Level in Windows.

Update 01/26/13

There has been an issue with Microsoft Server 2008 RC2 not accepting the domain name that it sent back in the Type 2 Message's Target Name (or Domain Name from the Target Info block).

Therefore, we are now using the domain name from the NetworkCredential to allow the user to specify the desired domain. This is also the domain name that's initially being sent to the server in the Type 1 Message.

Martin Baulig
  • 3,010
  • 1
  • 17
  • 22
  • Many thanks for adding this Martin. I tried out MonoTouch 6.0.8 which has this fix but it broke the authentication with my current Windows 2008 R2 server, which works in MT 6.0.6. If you need it, I can email you a small MonoTouch program to repro this issue. – SoftwareWeaver Jan 19 '13 at 08:43
  • I emailed a test project to the Xamarin support center that repros this issue. – SoftwareWeaver Jan 19 '13 at 09:01
  • Ok, I'll have a look at it. – Martin Baulig Jan 21 '13 at 17:17
  • Sorry that it took so long - had some annoying computer problems this week :-( I finally have a fix for this, will commit shortly. – Martin Baulig Jan 26 '13 at 05:42
  • The problem was that your server accepts any random string as domain name in the `Type3Message` - except the one that it sends back in the `Type2Message`s Target Name (which is identical to the Domain Name field in the Target Info). This is really weird. – Martin Baulig Jan 26 '13 at 05:45
  • I'll fix that by always using the domain name from the `NetworkCredential` - tested this with Windows Server 2012 (the standard version that you get in Amazon's EC2) and different Lan Manager Authentication settings and it's working fine there. I also experimented with Samba's `ntlm_auth` tool - and this is always using the domain name from the local `smb.conf` no matter what I put into the Target Info block. So I think letting the user specify the domain name in the `NetworkCredential` is the right thing to do. – Martin Baulig Jan 26 '13 at 05:48
  • Thanks Martin. Hope to see the fix soon in MonoTouch. – SoftwareWeaver Jan 26 '13 at 21:11
1

Simply setting flags ? Maybe but IMHO that's quite unlikely.

That code base was written in 2003 (and updated in 2004) and I'm pretty sure that I (as the author of the low-level code) did not have access to a Windows 2003 server or a Kerberos-enabled domain at that time.

The amount of required change, for a fallback, might not be too large (but I would not bet 5$ on that ;-) if you already have the environment to test it. I'm 100% positive that the Mono project would be happy to receive patches to enable this. You can also fill a bug report (priority enhancement) to ask for this feature at http://bugzilla.xamarin.com

An alternative is to use the iOS API, which I assume Safari is using, to communicate with the ASP.NET web service and deserialize the data yourself. Hard to say which options is more complex.

poupou
  • 43,413
  • 6
  • 77
  • 174
  • Thanks Sebastien. Will try to talk to customer to figure how to create a repro for this. I don't have Kerberos enabled domain setup. Will open a bug and add the data I have. Hopefully, someone else may have a test setup. – SoftwareWeaver Nov 23 '11 at 02:06