private static void ValidateNtlmResponse(HttpContext context, string password,
NtlmAuthenticationMessage authMessage, byte[] challenge)
{
var hexExpectNtlmRes = authMessage.NtlmResponseData.BytesToHex();
var hexNtlmRes = NtlmResponses.GetNtlmResponse(password, challenge).BytesToHex();
if (!hexExpectNtlmRes.Equals(hexNtlmRes, StringComparison.InvariantCultureIgnoreCase))
{
SendUnauthorized(context);
}
else
{
MarkAsLogon(context);
}
}
private static void ValidateNtlmV2Response(HttpContext context, string userName, string password,
NtlmAuthenticationMessage authMessage, byte[] challenge)
{
var expectHmac = authMessage.NtlmResponseData.NewCopy(0, 16);
var expectBlob = authMessage.NtlmResponseData.NewCopy(16);
var hexExpectHmac = expectHmac.BytesToHex();
var actualHmac = NtlmResponses.GetNtlmV2ResponseHash(
authMessage.TargetName, userName, password, expectBlob, challenge);
var hexActualHmac = actualHmac.BytesToHex();
if (!hexExpectHmac.Equals(hexActualHmac, StringComparison.InvariantCultureIgnoreCase))
{
SendUnauthorized(context);
}
else
{
MarkAsLogon(context);
}
}
public static void CheckNtlmAuth(this HttpContext context, string userName, string password, Action <string> log)
{
MakeIdentity(context);
if (CheckLogon(context))
{
return;
}
var auth = context.Request.Headers["Authorization"];
if (string.IsNullOrWhiteSpace(auth) || !auth.StartsWith("NTLM"))
{
SendUnauthorized(context);
}
else
{
var base64 = auth.Substring(5); //skip "NTLM "
var token = Convert.FromBase64String(base64);
var header = token.ToStruct <MessageHeaderStruct>();
switch (header.Type)
{
case MessageType.Negotiation:
var message1 = NtlmNegotiateMessage.Parse(token);
SendChallengeMessage(context, message1, log);
break;
case MessageType.Authentication:
var message3 = new NtlmAuthenticationMessage(token);
ValidateAuthMessage(context, userName, password, message3, log);
break;
default:
SendUnauthorized(context);
break;
}
}
}
private static void ValidateAuthMessage(HttpContext context, string userName, string password,
NtlmAuthenticationMessage authMessage, Action <string> log)
{
log($"Message 3 Flags: {authMessage.Flags}");
log($"Message 3 UserName: {authMessage.UserName}");
log($"Message 3 HostName: {authMessage.HostName}");
log($"Message 3 TargetName: {authMessage.TargetName}");
if (authMessage.UserName.Equals(userName, StringComparison.InvariantCultureIgnoreCase))
{
if (authMessage.Message.NtlmResponseLength == 24)
{
ValidateNtlmResponse(context, password, authMessage, Challenge);
}
else
{
ValidateNtlmV2Response(context, userName, password, authMessage, Challenge);
}
}
else
{
SendUnauthorized(context);
}
}
