search

erlandranvinge / ntlm.js

Implementation of Microsoft NTLM in javascript. Allows you to do that NTLM ajax you've always wanted.
MIT License
51 stars 38 forks source link

Subdomains #1

Open jackowild opened 9 years ago

jackowild commented 9 years ago

This works fine for top level domain accounts but I'm having trouble getting it to work with sub domains.
For example, using the credentials Ntlm.setCredentials('TEST.COM', 'JACK', 'JACK') works fine.
However using the credentials Ntlm.setCredentials('SUB.TEST.COM', 'JACK', 'JACK') tells me my credentials are wrong even though I know they are definitely right.
I appreciate any help in advance.

erlandranvinge commented 9 years ago

Hey. Sorry for the somewhat late reply. I have a hunch about the problems you're encountering, but I haven't had the time to test it out.

One of the references I used when I put this together, http://www.innovation.ch/personal/ronald/ntlm.html states that the NTLM hostname should not be a FQDN (fully qualified domain name): "The host name is only the host name, not the FQDN (e.g. just "GOOFY", not "GOOFY.DISNEY.COM").".

When looking at my code (line 239): var hostname = Ntlm.getLocation(url).hostname; This hostname is then used as an NTLM-hostname when building the messages.This is problematic, because the hostname will include subdomains, which is cleary against the protocol specification. Addressing this should be rather easy, i.e. parsing out the actual domain name without subdomains and use this instead.

Hopefully, this will address the problem.

TL;DR: Bad news: I think you have found a bug in my implementation. Good news: It's probably quite easy to fix.

jackowild commented 9 years ago

Sorry I don't think you have understood my problem, my fault for not explaining it properly.
I didn't mean the subdomain of the hostname that I am logging into. I meant the subdomain in active directory i.e. an organisational unit under the top level active directory account. For example say my ntlm protected website is at hostname http://test.com. I want to log in using my OU account jack@jack.test.com. My problem is that this doesn't work however if I logged in using a top level account such as jack@test.com then it does work.
FYI: I tried using only the hostname, not the FQDN. Again this worked with my top level active directory account but not my OU account.

erlandranvinge commented 9 years ago

Hey, OK, no worries. I have to look into the NTLM spec here, regarding usernames and domains.

jarrodek commented 8 years ago

Hi. Is there still an issue here? I'd like to use this library in my project and I'm not sure if this works :)

erlandranvinge commented 8 years ago

Hey. That would be my guess. I haven't gotten around to fix this yet. In fact I haven't even looked into this enough to be able to determine if this is an actual bug or if this is something on the server side (e.g. https://support.microsoft.com/en-us/kb/896861). However, this will only affect you if you plan on using active directory subdomains.

When I built ntlm.js I didn't even have a full active directory to authenticate against, I used a standard IIS-instance with NTLM enabled.

jarrodek commented 8 years ago

Ok,

Thanks for clarification.