How to extract the NT username from NTLM message?

  • Thread starter Thread starter darin dimitrov
  • Start date Start date
D

darin dimitrov

Hello,

I would like to implement a server side script that extracts the
NT username from the "Authirization:" header that is sent from the
client. I configured IIS to use Windows Authentication and disabled
anonymous access in order to force the client send its credentials.
The authorization header that I receive in the last stage of the
negociation is of the form:

Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYA<Truncated>

I know that in ASP.NET we can use the AUTH_USER, LOGON_USER or
REMOTE_USER server variables in order to obtain the login information,
but I don't use ASP and I need to implement a parser that will be able
to do this.

So my question is: Does the "Authorization" header mentioned above
contains the username of the person who accessed my script? If the
answer is "yes" then could you please point me to some interesting
articles that discuss how to extract the username from such a header
using the .NET framework? I have read through the The NTLM
Authentication Protocol (http://davenport.sourceforge.net/ntlm.html)
but it didn't help me much - I find it difficult to implement. Thanks
in advance for any suggestions.
 
darin said:
So my question is: Does the "Authorization" header mentioned above
contains the username of the person who accessed my script? If the
answer is "yes" then could you please point me to some interesting
articles that discuss how to extract the username from such a header
using the .NET framework? I have read through the The NTLM
Authentication Protocol (http://davenport.sourceforge.net/ntlm.html)
but it didn't help me much - I find it difficult to implement. Thanks
in advance for any suggestions.
Click to expand...

I can tell you for certain that the Authorization header does not
contain the user's NT login name.


--ChrisBilson
 
darin said:
Hello,

I would like to implement a server side script that extracts the
NT username from the "Authirization:" header that is sent from the
client. I configured IIS to use Windows Authentication and disabled
anonymous access in order to force the client send its credentials.
The authorization header that I receive in the last stage of the
negociation is of the form:

Authorization: NTLM TlRMTVNTUAADAAAAGAAYAHIAAAAYA<Truncated>

I know that in ASP.NET we can use the AUTH_USER, LOGON_USER or
REMOTE_USER server variables in order to obtain the login information,
but I don't use ASP and I need to implement a parser that will be able
to do this.

So my question is: Does the "Authorization" header mentioned above
contains the username of the person who accessed my script? If the
answer is "yes" then could you please point me to some interesting
articles that discuss how to extract the username from such a header
using the .NET framework? I have read through the The NTLM
Authentication Protocol (http://davenport.sourceforge.net/ntlm.html)
but it didn't help me much - I find it difficult to implement. Thanks
in advance for any suggestions.
Click to expand...

That document is probably exactly what you need to understand.

The client sends that Type 3 Authorization header in response to the
server's 401 result.

The Type 3 header is base64 encoded, and includes the user's domain and
username. Simply base64 decode the string in the authorization header
(convert.FromBase64String() will help you here). The data at offset 36
in the buffer will tell you where the username is and how long it is.

Of course, the password is hashed and is not available.
 
Back
Top