实现 NTLM 授权的 C# 助手类

Question

Currently I'm trying to solve my problem — which is implement NTLM authorization on my intranet site in the way how I think it should work, namely ask password only on certain pages. Not just hitting main page — so site should be divided on two pieces: available for all and restricted.

The issue I'm using Nancy framework and it does not implement NTLM natively. But this will not stop the real cowboy programmer. So I'm trying to develop custom request / response sequence to accomplish this goal.

For now I have discovered this Q&A , but solution there is glued to the IIS...

I have discovered site with a lots of complex information about NTLM and I wondering is there any C# class to simplify this process?

Namely, helping to create responses of different types.

Currently my code looks like this:

Get["/Profile/"] = parameters =>
{
    var request = this.Request;

    if (this.Request.Headers.Keys.Any(x => x == "Authorization"))
    {
        var items = Response.Context.Items;

        var expert = new Expert(WindowsIdentity.GetCurrent());
        var model = expert.Ensure();

        return View["Profile.liquid", model];
    }
    else
    {
        var response = new Response();
        response.StatusCode = HttpStatusCode.Unauthorized;
        response.Headers.Add("WWW-Authenticate", "NTLM");
        return response;
    }
};

But it implements only first stage of NTLM authorization. Is it possible to avoid lots of manual code to implement other steps by involving ready to use helper?

Answer 1

If you really want to write all this yourself I think you're in for a bit of a mammoth task. This URL may help you, it has information on NTLM auth in general, but also shows an example of the conversation for HTTP authentication using NTLM:

http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication

Another possible avenue to explore is to see if there's anything in the Mono code base that you can make use of - that's what we did with the built in JSON serializer.

Another option is to use forms or basic auth, but authenticate the usernames/passwords against AD/LDAP.

Answer 2

I have developed, merging several sources, a working implementation of the whole protocol: "NTLM"->"NTLM with client data"->"NTLM challenge"->"NTLM challenge from client" and everything works well and without the need for external liberaries. Only little problem is all C++ (hate playing with buffers in C# :P ), it's a 140kb C++ source. Everything can be found here: https://kendar.org/?p=/dotnet/kendarntlmlib

--HERE START BAD NEWS...--

as far as i understood on IIS this kind of things can work only as an ISAPI filter. Being NTLM a -connection based- protocol I were not able to do the request-response-request in the same http request while in an MVC controller, aspx page or ashx handler. And IIS does not expose any socket handle that can be used to "override" the standard connection-less approach of http but in the ISAPI part... (it's HTTP after all, but it's cutting my wings :P )

I hoped to use it like the basic authentication attribute i've seen used on Bonobo github clone... but no luck..

--HERE FINISH BAD NEWS--

Plus i had some problem loading a native DLL into a C#-ANyCPU compiled project, but this is easy :P ( http://blogs.msdn.com/b/jorman/archive/2007/08/31/loading-c-assemblies-in-asp-net.aspx just for reference)

Answer 3

I need an example of using https://github.com/toolchain/Nancy.Authentication.Ntlm with users restrictions on some Nancy views. Thank you!