參考文獻:
正文
NTLM有Interactive和Noninteractive兩種,Interactive就是用戶登錄類型的,只有client和DC兩個參與者,而Noninteractive則是Client要去連接一個Server。在Microsoft NTLM給出了NTLM的Noninteractive驗證過程,有如下7步過程:
- (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.
- The client sends the user name to the server (in plaintext).
- The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
- The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.
-
The server sends the following three items to the domain controller:
- User name
- Challenge sent to the client
- Response received from the client
- The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
- The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.
但是其中有些地方不夠詳細,我在本文中加以補充。NTLM是windows驗證的一種,其過程如下圖所示:
下面來詳細解析NTLM驗證過程,仍然是七步過程:
- 用戶登錄時輸入的user name、password和domain name,然后Client端計算password的hash值並保存在本地
- 客戶端將user name的明文發送給DC
- DC生成一個16-byte的隨機數,叫做challenge,傳輸給client
- client收到challenge以后,在復制一份拷貝,然后將其中一個challenge用password hash加密,這個叫做response,然后將challenge,response以及user name傳送給server
- server端在收到client傳送過來的三份內容以后將它們轉發給DC
- DC在收到user name,response,challenge以后,根據user name在account database中找到其對應的password hash,然后用這個password hash加密challenge
- 最后一步是客戶端將response跟加密后的challenge進行比較,如果相同則NTLM驗證成功。
在Microsoft NTLM的最后還提到了另外一點,就是讓我們不要直接使用NTLM,而是使用negotiate。如果使用negotiate的話,那么windows會判斷kerberos是否可用,如果可用就優先使用kerberos,否則使用NTLM。kerberos的安全性要比NTLM要高。
在sharepoint的中就有NTLM和negotiate的選擇,默認選擇的是NTLM,如果知道如何配置kerberos的話,建議使用negotiate模式。