NTLM / Negotiate Headers

[RReukema]

This may be a lack of understanding from my part, but security is something that always drives me nuts!

 

I am getting a 401 response with three WWW-Authenticate headers - Negotiate, NTLM, and a basic realm.

 

I've configured fiddler to do auto response (  oSession["x-AutoAuth"] = "(default)";) and their is an attempt with a response that looks like:

Authorization Header (Negotiate) appears to contain a Kerberos ticket:

I'm thinking that I should respond with only the NTLM response, but the Negotiate header is taking over.

Should I 1) remote the Negotiate header when the response in coming in?, or 2) configure IIS to avoid the Negotiate header, or 3) is there a way to configure fiddler to always respond with a NTLM header?

Regards,

Richard

[EricLaw]

Sorry, I'm not sure exactly what the goal here is? Are you getting only 401s and not getting authenticated? Or is there some other problem that you're hitting?

 

thanks!

[EricLaw]

FWIW, Fiddler arguably has a bug here at the moment. When deciding whether to support X-AutoAuth, it checks all WWW-Authenticate headers for NTLM, Negotiate, or Digest. However, when calling into the authentication package, it only passes in the value of the first WWW-Authenticate header that it finds.

 

Now, servers will generally order such headers by the strongest to the weakest auth method supported, so Fiddler is usually using the "right" one, but it is a limitation to be aware of... 

[RReukema]

Sorry that I did not reply sooner - I thought that I would have received an email if/when a response was given.

 

You hit the nail on the head with this one, in regard to the multiple Authentication Headers.  When replying, something in the chain ( not sure if is IIS or the application) requires NTLM authentication, and not Kerberos.  As KerBeros was first, that is what Fiddler was responding with.  A simple fix for me was to alter the priority of the authentication methods - moving NTLM above Kerberos.  After that I was able to replay calls to the application.  (If I knew fiddler script better, I thought I could also remove Kerberos header on the 401 response, and likely have the same result?)

 

I have one outstanding question however, in regard to reusing sessions.  Each POST is followed by the double authentication calls required by NTLM.  Is there a way for Fidder to re-use the session, and avoid the noise and time by the authentication calls for each POST?

Regards and congratulations on the association with Telerik!

 

Richard

[EricLaw]

Fiddler pools authenticated client sockets for reuse. For NTLM/Negotiate/Kerberos authenticated server sockets, however, the fiddler.network.auth.reusemode preference comes into play. Try setting this preference to 2 and restarting Fiddler to see if it makes a difference in your scenario.  (If not, that suggests that the server has either closed the connection on response, or is unwilling to accept a POST without an immediate challenge).

 

From the Fiddler book:

 

Name: fiddler.network.auth.ReuseMode
Default: 0
Explanation
This preference controls how Fiddler is willing to reuse server connections upon which an authentication (HTTP header authentication or HTTPS client certificate authentication) has taken place.
The default value of 0 requires "Process Affinity." Fiddler will only reuse the authenticated connection to service requests that originated from the same process that authenticated the connection originally.
The value 1 requires "Client Connection Marriage." Fiddler will only reuse the authenticated connection to service requests that originated from the same client connection that authenticated the connection originally.
The value 2 allows "Arbitrary reuse." Fiddler will reuse the authenticated connection to service any request from any client. Warning: This value will yield better performance but unexpected and insecure behavior.

[RReukema]

 

I have your book - found this in Appendix D - but I'm too much of noob to know how to change this via script!  Does this setting have a UI counterpart?  If not, where in the script woudl one change this setting?

R

[EricLaw]

Cool-- thanks for your support in buying the book.

 

The QuickExec section of the book shows how to set preferences, as does the section named Preferences around page 78 (varies between PDF and paperback).

 

<snip>

Using the QuickExec box below the Web Sessions list, you can use the PREFS command to interact with Preferences. You can type prefs set [prefname] [prefvalue] to create or update a Preference’s value; wrap the value in quotation marks if it contains any spaces.

You can see all of the configured Preferences by typing about:config in the QuickExec box; this will create or activate the about:config tab in the Fiddler UI that lists all Preferences sorted alphabetically by name.

</snip>