如何在Windows Server 2012 R2上调试NTLM身份验证

Question

I have set up a SOAP service on a virtual machine running Windows Server 2012 r2. I secured it using NTLM and I managed to access it from the host computer using SoapUI . So far so good...

I am now trying to access my service, still from the host, but using a golang program this time. I am using this library to do it (I only had to implement the GenerateNegotiateMessage() method and made sure that the Negotiate flags are the same as the ones of SoapUI).

To make sure that I did things right, I downloaded the source code of SoapUI and compared the outputs (NegotiateMessage and AuthenticateMessage) of my golang program and SoapUI. If I fix the inputs (timestamp and random client challenge), I do get the same outputs. However, when I try to connect to the service, I get a 401 with "Access is denied due to invalid credentials". No need to say I'm 100% sure the credentials are right as I am able to access the service with the same credentials using SoapUI. So there must be something wrong in my go code. But to figure it out, I would need more logs from my Windows Server. Any idea of where I could start looking?

Below is the web.config of my Soap service:

<?xml version="1.0"?>
<configuration>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true"/>
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5"/>
    <httpRuntime targetFramework="4.5"/>
    <trace enabled="true" pageOutput="true" requestLimit="40" localOnly="false"/>
  </system.web>
  <system.serviceModel>

    <diagnostics wmiProviderEnabled="true">
      <messageLogging
           logEntireMessage="true"
           logMalformedMessages="true"
           logMessagesAtServiceLevel="true"
           logMessagesAtTransportLevel="true"
           maxMessagesToLog="3000"
       />
    </diagnostics>

    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>

    <bindings>
      <basicHttpBinding>
        <binding>
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Ntlm" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>

    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"/>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel" switchValue="All" propagateActivity="true">
        <listeners>
          <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\logs\TextWriterOutput.log"/>
        </listeners>
      </source>
    </sources>
  </system.diagnostics>
</configuration>

Thanks a lot for your help!

Answer 1

I eventually managed to solve my problem. It came from the fact that I wasn't reading entirely the response body of my HTTP request in my golang program. Therefore, every time I made a request, the server interpreted as a new connection but the NTLM authentication scheme requires all the requests to be made in a single connection. It's actually this answer that solved my problem.

For future coders, this is the code that you should use if you want to reuse the same connection:

res, _ := client.Do(req)
io.Copy(ioutil.Discard, res.Body)
res.Body.Close()

To conclude, I didn't manage to get much info from the logs of Windows. The tools that put me on the right track were the Failed Request Tracer that you can access from the IIS Manager and the goold old Wireshark to compare the requests made by my program and those of SoapUI.

Hope this can be useful to someone.