Re: NTLMv2 auth fail

From: <j2ev centrum cz>
To: Adam Seering <adam seering org>, <libsoup-list gnome org>
Subject: Re: NTLMv2 auth fail
Date: Thu, 13 Jul 2017 09:24:14 +0200

Hi Adam,

thanks for your response.

- my version of libsoup is 2.56, which I think should be fine, I did not try with the latest version, yet

- I tried all combinations of my username

- I do not know what exactly the server requires and I do not know how to find out actually, also

Nevertheless, I captured NTLM headers from Firefox (succesfull auth) and Evolution (failed auth). I used ntlmdecoder python script. The Evolution case is the same with all the combinations of my username and password. Can you tell something out of this? Packet sniffing could be a little tricky, since the WS is accessible through SSL with PFS only.

Firefox:
client
Msg Type: 1 (Request)
Domain: '' [] (0b @0)
Workstation: '' [] (0b @0)
OS Ver: [omitted]
Flags: 0x88207 ["Negotiate Unicode", "Negotiate OEM", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key"]

server
Msg Type: 2 (Challenge)
Target Name: u'DOMAIN' (14b @56)
Challenge: 0xe0bc45bfca5fad87
Context: '' [] (0b @0)
Target: [block] (120b @70)
    AD domain name (2): DOMAIN
    Server name (1): EXCHANGE
    DNS domain name (4): domain.com
    FQDN (3): exchange.domain.com
    Parent DNS domain (5): domain.com
    Server Timestamp (7): �,(;A��
OS Ver: '???%????'
Flags: 0x2898205 ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Target Type Domain", "Negotiate NTLM2 Key", "Negotiate Target Info", "unknown"]

client
Msg Type: 3 (Response)
LM Resp: (24b @92)
NTLM Resp: (164b @116)
Target Name: '' [] (0b @64)
User Name: u'myu' (6b @64)
Host Name: u'WORKSTATION' [57004f0052004b00530054004100540049004f004e00] (22b @70)
Session Key: '' [] (0b @0)
OS Ver: 'm?y?u?W?'
Flags: 0x88205 ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key"]

Evolution:
> POST /EWS/Exchange.asmx HTTP/1.1
> Soup-Debug: SoupSessionAsync 1 (0x557127a95fa0), ESoapMessage 1 (0x557128794f40), SoupSocket 1 (0x557128796f30)
> Authorization: NTLM <56 chars>
Msg Type: 1 (Request)
Domain: '' [] (0b @40)
Workstation: '' [] (0b @40)
OS Ver: '????????'
Flags: 0x62088205 ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key", "unknown", "Negotiate 128", "Negotiate Key Exchange"]

< HTTP/1.1 401 Unauthorized
< Soup-Debug: ESoapMessage 1 (0x557128794f40)
< WWW-Authenticate: NTLM <256 chars>
Msg Type: 2 (Challenge)
Target Name: u'DOMAIN' (14b @56)
Challenge: 0x9b5fd4fb0b4c64d9
Context: '' [] (0b @0)
Target: [block] (120b @70)
    AD domain name (2): DOMAIN
    Server name (1): EXCHANGE
    DNS domain name (4): domain.com
    FQDN (3): exchange.domain.com
    Parent DNS domain (5): domain.com
    Server Timestamp (7): ��;C��
OS Ver: '???%????'
Flags: 0x62898205 ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Target Type Domain", "Negotiate NTLM2 Key", "Negotiate Target Info", "unknown", "Negotiate 128", "Negotiate Key Exchange"]

> POST /EWS/Exchange.asmx HTTP/1.1
> Soup-Debug: SoupSessionAsync 1 (0x557127a95fa0), ESoapMessage 1 (0x557128794f40), SoupSocket 1 (0x557128796f30), restarted
> Authorization: NTLM <64 chars>
Msg Type: 1 (Request)
Domain: '' [] (0b @0)
Workstation: '' [] (0b @0)
OS Ver: '????0???'
Flags: 0x88205 ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key"]

< HTTP/1.1 401 Unauthorized
< Soup-Debug: ESoapMessage 1 (0x557128794f40)
< WWW-Authenticate: NTLM <256 chars>
Msg Type: 2 (Challenge)
Target Name: u'DOMAIN' (14b @56)
Challenge: 0x59a2b54dfb26ce88
Context: '' [] (0b @0)
Target: [block] (120b @70)
    AD domain name (2): DOMAIN
    Server name (1): EXCHANGE
    DNS domain name (4): domain.com
    FQDN (3): exchange.domain.com
    Parent DNS domain (5): domain.com
    Server Timestamp (7): �3>C��
OS Ver: '???%????'
Flags: 0x2898205 ["Negotiate Unicode", "Request Target", "Negotiate NTLM", "Negotiate Always Sign", "Target Type Domain", "Negotiate NTLM2 Key", "Negotiate Target Info", "unknown"]

> POST /EWS/Exchange.asmx HTTP/1.1
> Soup-Debug: SoupSessionAsync 1 (0x557127a95fa0), ESoapMessage 1 (0x557128794f40), SoupSocket 1 (0x557128796f30), restarted
> Authorization: NTLM <176 chars>
Msg Type: 3 (Response)
LM Resp: (24b @84)
NTLM Resp: (24b @108)
Target Name: '' [] (0b @64)
User Name: u'myu' (6b @64)
Host Name: u'UNKNOWN' (14b @70)
Session Key: '' [] (0b @0)
OS Ver: 'm?y?u?U?'
Flags: 0x88201 ["Negotiate Unicode", "Negotiate NTLM", "Negotiate Always Sign", "Negotiate NTLM2 Key"]

Thanks

______________________________________________________________
> Od: Adam Seering <adam seering org>
> Komu: <j2ev centrum cz>, <libsoup-list gnome org>
> Datum: 09.07.2017 17:50
> Předmět: Re: NTLMv2 auth fail
>

Hi,
Did you ever get this figured out?

If not, three questions:

- What version of libsoup do you have? Have you tested with the latest version?
- Have you tried different permutations of your username? DOMAIN\username, email@domain, etc -- I've seen servers become pickier after NTLMv2 is enabled.
- NTLMv2 is not a monolithic protocol; it has several pieces. Do you know precisely what your server now requires?

Libsoup has support for what are arguably the most commonly-used parts of NTLMv2. However, that support was added within the last few years; some older versions of distros may still bundle libsoup versions that don't have this support.

If you aren't able to get things working based on the above, I'd suggest any of the following as steps forward:

- Capture Evolution debug logs; play around to figure out precisely where in the NTLM negotiation process the failure is happening, the details of all responses that libsoup is returning to Evolution given a valid login, a valid username but a bad password, and a bad username. (If there are no differences between any of these cases, then probably the server is no longer accepting the username in the format that you're providing it.)
- Pull up a network packet sniffer; investigate exactly what's going wrong. (The NTLMv2 protocol is very well-documented.)

Adam

On July 4, 2017 10:28:11 AM <j2ev centrum cz> wrote:

Hello,

I am (was) using Evolution EWS as a client for our Exchange server. After we forced the use of NTLMv2 in our AD domain, I am unable to login using NTLM. I asked in Evolution mailing list (https://mail.gnome.org/archives/evolution-list/2017-July/msg00000.html) and I've been told to try to ask here, because NTLM auth is done through libsoup. I am able to successfuly authenticate with the use of NTLM in Firefox and curl against the Exchange Web Service. Does anybody has an idea what could I try or how to debug?

Thanks
_______________________________________________
libsoup-list mailing list
libsoup-list gnome org
https://mail.gnome.org/mailman/listinfo/libsoup-list

References:
- NTLMv2 auth fail
  - From: j2ev

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]