|
|
|
date: Sun, 29 Jun 2008 23:01:01 -0700,
group: microsoft.public.inetsdk.programming.scripting.jscript
back
How does IE7 manage to send a negotiate request to winrm?
Hi,
I am trying to get the negotiate auth working with WinRM.
The code is as follows,
I have created a XMLHttpRequest and am trying to get a WMI class through
WinRM through a POST request.
I have enabled only negotiate auth on WinRM side.
Iâve coded my javascript to send a POST request with a soap-xml.
When I try to get this code working from IE7, I find that the browser sends
the POST request with authorization set NTLM as the first request to the
WinRM server.
I am trying to understand how this is possible?
As far as I know the flow for negotiate should be as follows,
The client requests a protected resource from the server:
GET /index.html HTTP/1.1
The server responds with a 401 status, indicating that the client must
authenticate.
"NTLM" is presented as a supported authentication mechanism via the
"WWW-Authenticate" header.
Typically, the server closes the connection at this time:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
Connection: close
The client resubmits the request with an "Authorization" header containing a
Type 1 message parameter.
The Type 1 message is Base-64 encoded for transmission.
From this point forward, the connection is kept open; closing the connection
requires reauthentication of subsequent requests.
This implies that the server and client must support persistent connections,
via either the HTTP 1.0-style
"Keep-Alive" header or HTTP 1.1 (in which persistent connections are
employed by default).
The relevant request headers appear as follows (the line break in the
"Authorization" header below is for display purposes only, and is not present
in the actual message):
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1
JLU1RBVElPTkRPTUFJTg==
The server replies with a 401 status containing a Type 2 message in the
"WWW-Authenticate" header (again, Base-64 encoded).
This is shown below (the line breaks in the "WWW-Authenticate" header are
for editorial clarity only, and are not present in the actual header).
HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAASNFZ4mrze8
AAAAAAAAAAGIAYgA8AAAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTA
EUAUgBWAEUAUgAEABQAZABvAG0AYQBpAG4ALgBjAG8AbQADACIAcwBlAHIAdgBlAHI
ALgBkAG8AbQBhAGkAbgAuAGMAbwBtAAAAAAA=
The client responds to the Type 2 message by resubmitting the request with
an "Authorization" header containing a Base-64 encoded Type 3 message
(again, the line breaks in the "Authorization" header below are for display
purposes only):
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABAAA
AACAAIAEwAAAAWABYAVAAAAAAAAACaAAAAAQIAAEQATwBNAEEASQBOAHUAcwBlAHIA
VwBPAFIASwBTAFQAQQBUAEkATwBOAMM3zVy9RPyXgqZnr21CfG3mfCDC0+d8ViWpjB
wx6BhHRmspst9GgPOZWPuMITqcxg==
Finally, the server validates the responses in the client's Type 3 message
and allows access to the resource.
HTTP/1.1 200 OK
But what I find is that,
The first request which reaches the WinRM server is,
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1
JLU1RBVElPTkRPTUFJTg==
Meaning IE is somehow able to figure out that NTLM is the authorization to
be used?
How is this done?
Any reason for WinRM to respond in this fashion (or) have I got something
wrong here?
Venkat
date: Sun, 29 Jun 2008 23:01:01 -0700
author: Venkat_srin
|
|
