[python-win32] Hooking in NTLM...

[Mark Hammond]

Check out win32\demos\security\sspi - there you should find enough info to
get you started, including a *client* that uses NTLM to authenticate with a
server (which means in practice, you probably need to configure IIS for NTLM
auth to test this)

The issue with integrating it into httplib or similar is that the
authentication process is quite different than http basic auth.  In summary,
NTLM is a multi-step challenge/response system - ie, you end up taking a
number of requests, often 3, to get a "secure" channel.  Further, it is the
channel itself which is secured - eg, the socket.  Once the socket is
closed, you must re-authenticate from scratch again - the info you
negotiated in your first connection is no longer any use.

The only way I could find to integrate this with a httplib style class was
to implement an "onrequest callback" - a hook that the connection class
would call with the raw headers etc, and a way for that callback to modifiy
the request headers and tell the class to retry the operation with the new
headers.  At some stage, the callback will hopefully return a result
indicating auth is complete, so no further retries are necessary and comms
can continue without further worrying about auth until the socket closes.
Further, it then had to associate the authentication token with the socket
itself.

Hope this helps - check out the sspi demos and let me know if you have any
questions (the server side of the authentication dance is almost identical
to the client side, as you will see)

Cheers,

Mark


> -----Original Message-----
> From: python-win32-bounces at python.org [mailto:python-win32-
> bounces at python.org] On Behalf Of Trent Nelson
> Sent: Thursday, 12 June 2008 6:03 AM
> To: python-win32 at python.org
> Subject: [python-win32] Hooking in NTLM...
> 
> Howdy,
> 
> Mark, I vaguely recall a brief chat we had at PyCon where you said
> you'd hooked NTLM into, um, some sort of web-enabled Python environment
> ;-)  I can't remember the details (hope you can!), but I'm interested
> in whatever you came up with.  Currently, if I want to 'seamlessly' get
> a user's Windows domain login credentials, I set up httpd with
> mod_auth_sspi then redirect/proxy to a Python web-aware program (i.e.
> something on Twisted).
> 
> Would be nice to hook the NTLM stuff directly into the Python
> request/response http level, if possible.
> 
>         Trent.
> _______________________________________________
> python-win32 mailing list
> python-win32 at python.org
> http://mail.python.org/mailman/listinfo/python-win32