NTLM验证过程
参考文献:
正文
NTLM有Interactive和Noninteractive两种,Interactive就是用户登录类型的,只有client和DC两个参与者,而Noninteractive则是Client要去连接一个Server。在Microsoft NTLM给出了NTLM的Noninteractive验证过程,有如下7步过程:
- (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.
- The client sends the user name to the server (in plaintext).
- The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
- The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.
-
The server sends the following three items to the domain controller:
- User name
- Challenge sent to the client
- Response received from the client
- The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
- The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.
但是其中有些地方不够详细,我在本文中加以补充。NTLM是windows验证的一种,其过程如下图所示:
下面来详细解析NTLM验证过程,仍然是七步过程:
- 用户登录时输入的user name、password和domain name,然后Client端计算password的hash值并保存在本地
- 客户端将user name的明文发送给DC
- DC生成一个16-byte的随机数,叫做challenge,传输给client
- client收到challenge以后,在复制一份拷贝,然后将其中一个challenge用password hash加密,这个叫做response,然后将challenge,response以及user name传送给server
- server端在收到client传送过来的三份内容以后将它们转发给DC
- DC在收到user name,response,challenge以后,根据user name在account database中找到其对应的password hash,然后用这个password hash加密challenge
- 最后一步是客户端将response跟加密后的challenge进行比较,如果相同则NTLM验证成功。
在Microsoft NTLM的最后还提到了另外一点,就是让我们不要直接使用NTLM,而是使用negotiate。如果使用negotiate的话,那么windows会判断kerberos是否可用,如果可用就优先使用kerberos,否则使用NTLM。kerberos的安全性要比NTLM要高。
在sharepoint的中就有NTLM和negotiate的选择,默认选择的是NTLM,如果知道如何配置kerberos的话,建议使用negotiate模式。
