Closed cwiph closed 1 year ago
I've actually been playing around with the OWA and EWS plugins a bit lately, trying to get NTLM auth to work. I got excited when I saw this pr. I just tested your updated code on my test on-prem owa server and NTLM auth still seems to not work for me. I get HTTP 401 errors even for accounts I know (because it's my server) are valid. Any ideas for troubleshooting further?
Hey, unfortunately I do not have an actual OWA instance to debug this. I am using a self written NTLM server which behaves differently than OWA as it seems.
I added some debug output which might help you to troubleshoot the issue? I will look further into the actual NTLM messages and see if I can figure out whats wrong. However, without testing environment it probably will take some time.
Could you maybe give it another try? Might have found the actual issue why it won't work against OWA.
For sure. I'll test this out and respond here with my results. Thank you!
okay I guess the actual problem is related to the calculation of the certificate that is used for the calculation of the NTLM challenge response. So the above fix won't work
As it seems I had some misconceptions about how NTLM actually works. In my opinion this will never work over a AWS API GW due to channel binding. In addition, I don't see a straight forward way to get the server_certificate_hash
besides either sending a direct request to server or letting the user supply the value.
Thus closing the PR and sorry for the confusion.
The current version of CredMaster uses the default python requests_ntlm package which does not work with the
x-amzn-remapped-www-authenticate
headers.This pull requests ships a custom version of
requests_ntlm
to honor thex-amzn-remapped-www-authenticate
header instead of the originalwww-authenticate
header.cheers @niph_