...
Panel |
---|
borderColor | #ccc |
---|
bgColor | #FFFFCE |
---|
titleBGColor | #F7D6C1 |
---|
title | Unauthorized User Visits Web Site |
---|
borderStyle | dashed |
---|
|
http://glast-ground.slac.stanford.edu/Image Removed GET / HTTP/1.1 Host: glast-ground.slac.stanford.edu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: CFTOKEN=84811003; CFID=906 HTTP/1.x 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM Date: Sun, 19 Dec 2004 01:23:45 GMT |
...
A hash of these credentials (not the credentials themselves) is passed to the web server (the line Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=TlRMTVNTUAABAAA... in the listing below), which allows the web server to look up the user in the Windows password database and to construct a unique encrypted challenge that the browser can only decrypt with the user's unique password. The long line of characters sent by the web server to the browser (after the WWW-Authenticate: NTLM in the diagram listing below) is the encrypted challenge:
Panel |
---|
borderColor | #ccc |
---|
bgColor | #FFFFCE |
---|
titleBGColor | #F7D6C1 |
---|
title | Web Server Challenges User |
---|
borderStyle | dashed |
---|
|
http://glast-ground.slac.stanford.edu/Image Removed GET / HTTP/1.1 Host: glast-ground.slac.stanford.edu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: CFTOKEN=84811003; CFID=906 Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=TlRMTVNTUAABAA... HTTP/1.x 401 Unauthorized Content-Length: 1539 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAFgokCub9Oy9DBXqAAAAAAAAAAALwAvABA AAAABQLODgAAAA9TAEwAQQBDAAIACABTAEwAQQBDAAEADgBHAEwAQQBTAF QAMAA1AAQAKgB3AGkAbgAuAHMAbABhAGMALgBzAHQAYQBuAGYAbwByAGQAL gBlAGQAdQADADoAZwBsAGEAcwB0ADAANQAuAHcAaQBuAC4AcwBsAGEAYwAu AHMAdABhAG4AZgBvAHIAZAAuAGUAZAB1AAUAKgB3AGkAbgAuAHMAbABhAGM ALgBzAHQAYQBuAGYAbwByAGQALgBlAGQAdQAAAAAA TlRMTVNTUAACAAAA... Date: Sun, 19 Dec 2004 01:24:06 GMT |
Back at the browser, the browser attempts to decrypt the challenge with the user's password to get the answer to the challenge, which the browser then sends to the web server as proof that the user is who they claim to be. In the diagram listing below, the string of characters after the line Authorization: NTLM is what the browser thinks the answer is. In this case, the user provided valid SLAC credentials to the browser, and the original page is served:
Panel |
---|
borderColor | #ccc |
---|
bgColor | #FFFFCE |
---|
titleBGColor | #F7D6C1 |
---|
title | Browser Correctly Answers the Challenge and Web Server Sends Original Page |
---|
borderStyle | dashed |
---|
|
http://glast-ground.slac.stanford.edu/Image Removed GET / HTTP/1.1 Host: glast-ground.slac.stanford.edu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: CFTOKEN=84811003; CFID=906 Authorization: NTLM TlRMTVNTUAADAAAAGAAYAF4AAAAYABgAdgAAAAAAAABAAAAAEAAQAEAAAAAO AA4AUAAAAAAAAAAAAAAABYIIAGwAYQBuAGcAcwB0AG8AbgB0AHIAaQBuAGkAdAB5AGnvMd+cF8Ap AAAAAAAAAAAAAAAAAAAAAKR+uySl79KWtB9ldk9LLw/n1IUXoy8IeQ==TlRMTVNTUAADAAAAGA... HTTP/1.x 200 OK Connection: close Date: Sun, 19 Dec 2004 01:24:08 GMT Server: Microsoft-IIS/6.0 Set-Cookie: JSESSIONID=98307ef1b78b$3F$B77B;path=/ Set-Cookie: CFAUTHORIZATION_glast_ground=;expires=Fri, 19-Dec-2003 01:24:08 GMT;path=/ Content-Type: text/html; charset=UTF-8 |
...