Comments on: NTLM authentication in PHP – Now with NTLMv2 hash checking http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/ Thu, 19 Jan 2012 01:26:20 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: David C http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-18814 David C Mon, 09 Jan 2012 03:29:01 +0000 http://siphon9.net/loune/?p=68#comment-18814 @Loune Thanks a lot for checking this out. I've enabled NTLMv2 on my WinXP machine and everything is working now. Thanks for the great script! @Loune Thanks a lot for checking this out. I’ve enabled NTLMv2 on my WinXP machine and everything is working now.

Thanks for the great script!

]]> By: Loune http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-18731 Loune Fri, 06 Jan 2012 12:26:47 +0000 http://siphon9.net/loune/?p=68#comment-18731 @David I loaded up an XP machine (was using win7) and was able to replicate your issue. Seems like XP machines send NTLM (v1) by default where as the script expects NTLMv2. You need to force NTLMv2 as per this guide: http://www.imss.caltech.edu/node/396 Not sure if there's a way to force NTLMv2 from the server side, but I will amend the script to point that out if it gets a NTLM (v1) response from the client. @David I loaded up an XP machine (was using win7) and was able to replicate your issue. Seems like XP machines send NTLM (v1) by default where as the script expects NTLMv2. You need to force NTLMv2 as per this guide: http://www.imss.caltech.edu/node/396

Not sure if there’s a way to force NTLMv2 from the server side, but I will amend the script to point that out if it gets a NTLM (v1) response from the client.

]]> By: David C http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-18718 David C Fri, 06 Jan 2012 06:37:28 +0000 http://siphon9.net/loune/?p=68#comment-18718 Thanks Loune for the quick reply. I've tried my Windows XP workstation: PHP 5.2.8 + IIS 5.1 And a Linux Ubuntu server: PHP 5.3.1 + Apache 2.2.14 With Firefox 8 and IE 8. Script ntlm.php 1.2 downloaded today. I am using the PHP framework CodeIgniter, but have tried testing outside the framework with the same problem. Popup comes up (because current Windows credentials didn't work) and when I type in eg loune/test, the popup keeps coming up. I will try again another time, there's probably something obvious that I'll see after getting some sleep.. FYI In Windows I got the following error, which I fixed by uncommenting the preceding line: Message: iconv() [function.iconv]: Detected an incomplete multibyte character in input string Filename: third_party/ntlm.php Line Number: 94 Thanks Loune for the quick reply.
I’ve tried my Windows XP workstation: PHP 5.2.8 + IIS 5.1
And a Linux Ubuntu server: PHP 5.3.1 + Apache 2.2.14
With Firefox 8 and IE 8.
Script ntlm.php 1.2 downloaded today.

I am using the PHP framework CodeIgniter, but have tried testing outside the framework with the same problem. Popup comes up (because current Windows credentials didn’t work) and when I type in eg loune/test, the popup keeps coming up.
I will try again another time, there’s probably something obvious that I’ll see after getting some sleep..

FYI In Windows I got the following error, which I fixed by uncommenting the preceding line:
Message: iconv() [function.iconv]: Detected an incomplete multibyte character in input string
Filename: third_party/ntlm.php
Line Number: 94

]]> By: Loune http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-18708 Loune Fri, 06 Jan 2012 02:28:03 +0000 http://siphon9.net/loune/?p=68#comment-18708 @David It's been a while since I looked at this, but as far as I remember the domain doesn't matter because the server blob hash is generated with the domain provided by the client. What environment and what versions of software (php, firefox, ie, apache?) are you using in your test? I've just tried it with the ntlm.php script with apache 2 on firefox 9 / IE 9 and it works fine (prompt shows up and you enter the username/password in the userdb array). @David It’s been a while since I looked at this, but as far as I remember the domain doesn’t matter because the server blob hash is generated with the domain provided by the client.

What environment and what versions of software (php, firefox, ie, apache?) are you using in your test? I’ve just tried it with the ntlm.php script with apache 2 on firefox 9 / IE 9 and it works fine (prompt shows up and you enter the username/password in the userdb array).

]]> By: David C http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-18705 David C Fri, 06 Jan 2012 01:53:11 +0000 http://siphon9.net/loune/?p=68#comment-18705 I must be missing something, because I simply cannot get this script to authenticate me using FireFox or IE :( My $get_ntlm_user_hash_callback is returning the password hash, but the ntlm_verify_hash function produces a different $blobhash to the $clientblobhash. I noticed that the $domain value is used in $blobhash, even though in an earlier comment you've said it shouldn't have any effect. But every value I try hasn't helped.. Have spent all morning trying to figure it out, any traps I should be aware of? Thanks. I must be missing something, because I simply cannot get this script to authenticate me using FireFox or IE :(
My $get_ntlm_user_hash_callback is returning the password hash, but the ntlm_verify_hash function produces a different $blobhash to the $clientblobhash.
I noticed that the $domain value is used in $blobhash, even though in an earlier comment you’ve said it shouldn’t have any effect. But every value I try hasn’t helped..
Have spent all morning trying to figure it out, any traps I should be aware of? Thanks.

]]> By: Shadow http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-11523 Shadow Thu, 09 Jun 2011 15:09:08 +0000 http://siphon9.net/loune/?p=68#comment-11523 Great solution. Just for testing purposes, I have hash of my Windows password. How should I write the get_ntlm_user_hash function, to use this hash correctly ? Everything I've written isn't doing the job. Thank you in advance. Great solution. Just for testing purposes, I have hash of my Windows password. How should I write the get_ntlm_user_hash function, to use this hash correctly ? Everything I’ve written isn’t doing the job. Thank you in advance.

]]> By: Rois Cannon http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-10980 Rois Cannon Fri, 27 May 2011 20:59:23 +0000 http://siphon9.net/loune/?p=68#comment-10980 I got NTLM working in Linux/Apache but I also need the same credentials for MS SQL access. (This is on a private LAN.) Is it even possible to authenticate against AD and then use the same creds in PHP to authenticate MS SQL 2005 (which is also using the same AD) database access? I'd like to have SSO but I'll have to pass if I can't pass through the creds (or extract the password for access) on to authenticate SQL 2005. Thoughts? I got NTLM working in Linux/Apache but I also need the same credentials for MS SQL access. (This is on a private LAN.) Is it even possible to authenticate against AD and then use the same creds in PHP to authenticate MS SQL 2005 (which is also using the same AD) database access? I’d like to have SSO but I’ll have to pass if I can’t pass through the creds (or extract the password for access) on to authenticate SQL 2005.

Thoughts?

]]> By: Loune http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-9199 Loune Mon, 11 Apr 2011 11:17:59 +0000 http://siphon9.net/loune/?p=68#comment-9199 @peter, not sure what the problem with your JSP code would be. The difference between NTLMv1 and v2 is just with the password hashing and not the message formats. For a simple example of getting the username - see http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/ @peter, not sure what the problem with your JSP code would be. The difference between NTLMv1 and v2 is just with the password hashing and not the message formats. For a simple example of getting the username – see http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/

]]> By: peter http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-8892 peter Sun, 03 Apr 2011 11:32:39 +0000 http://siphon9.net/loune/?p=68#comment-8892 sorry, this was me asking, just wrote in the wrong fields.. :) <strong><em>Fixed</em></strong> sorry, this was me asking, just wrote in the wrong fields.. :)

Fixed

]]> By: peter http://siphon9.net/loune/2009/09/ntlm-authentication-in-php-now-with-ntlmv2-hash-checking/comment-page-1/#comment-8889 peter Sun, 03 Apr 2011 10:44:58 +0000 http://siphon9.net/loune/?p=68#comment-8889 no, I'm looking for the username... I have a piece of code (jsp) that works with NTLMv1, but not with v2... I thought the difference is the hashing.... But if it's not, what is? Thanks! no, I’m looking for the username… I have a piece of code (jsp) that works with NTLMv1, but not with v2… I thought the difference is the hashing…. But if it’s not, what is? Thanks!

]]>