Closed cwiph closed 1 year ago
techspence
commented
1 year ago I've actually been playing around with the OWA and EWS plugins a bit lately, trying to get NTLM auth to work. I got excited when I saw this pr. I just tested your updated code on my test on-prem owa server and NTLM auth still seems to not work for me. I get HTTP 401 errors even for accounts I know (because it's my server) are valid. Any ideas for troubleshooting further?
cwiph
commented
1 year ago Hey, unfortunately I do not have an actual OWA instance to debug this. I am using a self written NTLM server which behaves differently than OWA as it seems.
I added some debug output which might help you to troubleshoot the issue? I will look further into the actual NTLM messages and see if I can figure out whats wrong. However, without testing environment it probably will take some time.
cwiph
commented
1 year ago Could you maybe give it another try? Might have found the actual issue why it won't work against OWA.
techspence
commented
1 year ago For sure. I'll test this out and respond here with my results. Thank you!
cwiph
commented
1 year ago okay I guess the actual problem is related to the calculation of the certificate that is used for the calculation of the NTLM challenge response. So the above fix won't work
cwiph
commented
1 year ago As it seems I had some misconceptions about how NTLM actually works. In my opinion this will never work over a AWS API GW due to channel binding. In addition, I don't see a straight forward way to get the server_certificate_hash besides either sending a direct request to server or letting the user supply the value.
Thus closing the PR and sorry for the confusion.
The current version of CredMaster uses the default python requests_ntlm package which does not work with the
x-amzn-remapped-www-authenticateheaders.This pull requests ships a custom version of
requests_ntlmto honor thex-amzn-remapped-www-authenticateheader instead of the originalwww-authenticateheader.cheers @niph_