Winrm behaviour on negotiate auth..

Hi,
I am trying to get the negotiate auth working with WinRM.
The code is as follows,
I have created a XMLHttpRequest and am trying to get a WMI class through
WinRM through a POST request.
I have enabled only negotiate auth on WinRM side.
I’ve coded my javascript to send a POST request with a soap-xml.
When I try to get this code working from IE7, I find that the browser sends
the POST request with authorization set NTLM as the first request to the
WinRM server.

I am trying to understand how this is possible?
As far as I know the flow for negotiate should be as follows,

The client requests a protected resource from the server:
GET /index.html HTTP/1.1

The server responds with a 401 status, indicating that the client must
authenticate.
"NTLM" is presented as a supported authentication mechanism via the
"WWW-Authenticate" header.
Typically, the server closes the connection at this time:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
Connection: close


The client resubmits the request with an "Authorization" header containing a
Type 1 message parameter.
The Type 1 message is Base-64 encoded for transmission.
From this point forward, the connection is kept open; closing the connection
requires reauthentication of subsequent requests.
This implies that the server and client must support persistent connections,
via either the HTTP 1.0-style
"Keep-Alive" header or HTTP 1.1 (in which persistent connections are
employed by default).
The relevant request headers appear as follows (the line break in the
"Authorization" header below is for display purposes only, and is not present
in the actual message):

GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1
JLU1RBVElPTkRPTUFJTg==

The server replies with a 401 status containing a Type 2 message in the
"WWW-Authenticate" header (again, Base-64 encoded).
This is shown below (the line breaks in the "WWW-Authenticate" header are
for editorial clarity only, and are not present in the actual header).

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAABAoEAASNFZ4mrze8
AAAAAAAAAAGIAYgA8AAAARABPAE0AQQBJAE4AAgAMAEQATwBNAEEASQBOAAEADABTA
EUAUgBWAEUAUgAEABQAZABvAG0AYQBpAG4ALgBjAG8AbQADACIAcwBlAHIAdgBlAHI
ALgBkAG8AbQBhAGkAbgAuAGMAbwBtAAAAAAA=

The client responds to the Type 2 message by resubmitting the request with
an "Authorization" header containing a Base-64 encoded Type 3 message
(again, the line breaks in the "Authorization" header below are for display
purposes only):

GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABAAA
AACAAIAEwAAAAWABYAVAAAAAAAAACaAAAAAQIAAEQATwBNAEEASQBOAHUAcwBlAHIA
VwBPAFIASwBTAFQAQQBUAEkATwBOAMM3zVy9RPyXgqZnr21CfG3mfCDC0+d8ViWpjB
wx6BhHRmspst9GgPOZWPuMITqcxg==

Finally, the server validates the responses in the client's Type 3 message
and allows access to the resource.
HTTP/1.1 200 OK


But what I find is that,
The first request which reaches the WinRM server is,
GET /index.html HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABzIAAAYABgArAAAACwALACAAAABXT1
JLU1RBVElPTkRPTUFJTg==


Meaning IE is somehow able to figure out that NTLM is the authorization to
be used?
How is this done?
Any reason for WinRM to respond in this fashion (or) have I got something
wrong here?


Venkat

Thanks a lot for your inputs.
Please find answers to questions which you had posed below,

1.> If you can find a link that supports what you believe the "handshake" <http://msdn.microsoft.com/en-us/library/ms995329.aspx>
The link talks about how the handshake should look like.

2.What OS? What version of WinRM? Have you tried the WinRM 2.0 CTP2 also?
OS - Windows 2003 server r2 sp1 rtm.
Version of winrm - 1.1
No, i have not tried the same on CTP2.
I will try now.
As i see the download of CTP2 i find that this works only on server'08 and
vista
I would like to see this also work for server'03 and XP!

3.> Sounds like you're using the WinRM COM interface. Have you tried a Yes, i have tried the same from mozilla and there the winrm server does not
provide the proper negotiation schemes.
That is the problem i am facing.
The winrm server is supposed to respond with the proper negotiation schemes
which it can support like NTLM,kerberos etc.
But it does not do it!
I wanted to know if this is a known issue?

Venkat

> 2.What OS? What version of WinRM? Have you tried the WinRM 2.0 CTP2 also? What's the setup as far as whether the client and server or in a domain
or workgroup? Are you testing this only locally by any chance by
connecting to localhost or 127.0.0.1?
The WinRM server depends on HTTP.sys. I don't see anything just yet
about whether the server-side could be an issue. After all, later
versions (maybe not IIS7) depend somewhat on HTTP.sys, so I'd assume if
IIS5 can do it, so can HTTP.sys.
I don't know.

Marco

Oh, and... You mention it is the client who doesn't appear to
negotiating properly.

Now, are you sure that's the first message coming from the client? Just
want to make sure you don't already have a session setup beforehand
which has determined the auth protocol already.

From what I understand, if you have keep-alives set on the server-side,
then you will continue with the same auth scheme once negotiated.

Marco

So how do i disable the server side keep-alive?
Is it possible that i do this through winrm?
I couldn't find such a thing in msdn though!

I think the best way to answer your question is to explain what the output
looks like in case of
the browser based script,

C->Server POST request sent

S->Client HTTP 401 WWW-Negotiate.

No schemes being sent.

The problem i am facing is that since the scheme is not being sent mozilla
is not able to negotiate this request!

Mozilla expects the response from the server to list down all the schemes
which are supported (like NTLM/Kerberos).

Also to answer your previous question(s),

I am trying to connect from a remote client box which is part of a domain to
a server which happens to be part of a workgroup.

I will try again to restart the server and see to that the server does not
work on an existing connection!


Venkat


"Marco Shaw [MVP]" wrote:

Attached find the wireshark dump.

I see only the response from winrm which says,

WWW-Authenticate: Negotiate\r\n where in i am expecting WWW-Authenticate: NTLM

No. Time Source Destination Protocol Info
185 19.559840 10.94.145.201 10.94.22.74 HTTP
HTTP/1.1 401

Ethernet II, Src: Dell_31:41:c8 (00:11:43:31:41:c8), Dst: Cisco_84:5a:41
(00:1b:53:84:5a:41)
Internet Protocol, Src: 10.94.145.201 (10.94.145.201), Dst: 10.94.22.74
(10.94.22.74)
Transmission Control Protocol, Src Port: http (80), Dst Port: lbc-sync
(2779), Seq: 1, Ack: 1461, Len: 191
Hypertext Transfer Protocol
HTTP/1.1 401 \r\n
Request Version: HTTP/1.1
Response Code: 401
Server: Microsoft-HTTPAPI/1.0\r\n
WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: Basic realm="WSMAN"\r\n
Date: Tue, 01 Jul 2008 18:23:54 GMT\r\n
Connection: close\r\n
Content-Length: 0
\r\n




No. Time Source Destination Protocol Info
187 19.560165 10.94.22.74 10.94.145.201 HTTP/XML
POST /wsman HTTP/1.1

Frame 187 (412 bytes on wire, 412 bytes captured)
Ethernet II, Src: Cisco_84:5a:41 (00:1b:53:84:5a:41), Dst: Dell_31:41:c8
(00:11:43:31:41:c8)
Internet Protocol, Src: 10.94.22.74 (10.94.22.74), Dst: 10.94.145.201
(10.94.145.201)
Transmission Control Protocol, Src Port: lbc-sync (2779), Dst Port: http
(80), Seq: 1461, Ack: 1, Len: 358
[Reassembled TCP Segments (1818 bytes): #184(1460), #187(358)]
Hypertext Transfer Protocol
POST /wsman HTTP/1.1\r\n
Request Method: POST
Request URI: /wsman
Request Version: HTTP/1.1
Host: 10.94.145.201:80\r\n
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2)
Gecko/2007121120 Firefox/3.0b2\r\n
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip,deflate\r\n
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
Keep-Alive: 300\r\n
Connection: keep-alive\r\n
Authorization: Basic\r\n
SOAPAction: Enumerate\r\n
Content-Type: application/soap+xml; charset=utf-8\r\n
Content-Length: 1281
Pragma: no-cache\r\n
Cache-Control: no-cache\r\n
\r\n
eXtensible Markup Language
<?xml
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>
http://10.94.145.201:80/wsman
</a:To>
<w:ResourceURI
s:mustUnderstand="true">

http://schemas.microsoft.com/wbem/ws...v2/cim_process
</w:ResourceURI>

<!--************************************\n\t<w:SelectorSet>\n\t\n\t\t<Selector
Name="">2</Selector>\n\t</w:SelectorSet>\n\t****************************************-->
<a:ReplyTo>
<a:Address
s:mustUnderstand="true">

http://schemas.xmlsoap.org/ws/2004/0...nonymous\n\t\t
</a:Address>
</a:ReplyTo>
<a:Action
s:mustUnderstand="true">
http://schemas.xmlsoap.org/ws/2004/0...tion/Enumerate
</a:Action>
<w:MaxEnvelopeSize
s:mustUnderstand="true">
153600
</w:MaxEnvelopeSize>
<a:MessageID>
uuid:OPH90OL1-PM15-PK62-MBX1-81350L03QD12
</a:MessageID>
<w:Locale
xml:lang="en-US"
s:mustUnderstand="false"/>
<w:OperationTimeout>
PT60.00S
</w:OperationTimeout>
</s:Header>
<s:Body>
<n:Enumerate>
<w:OptimizeEnumeration/>
<w:MaxElements>
20
</w:MaxElements>
</n:Enumerate>
</s:Body>
</s:Envelope>


No. Time Source Destination Protocol Info
6884 369.246843 10.94.145.201 10.94.22.74 HTTP
HTTP/1.1 401

Frame 6884 (245 bytes on wire, 245 bytes captured)
Ethernet II, Src: Dell_31:41:c8 (00:11:43:31:41:c8), Dst: Cisco_84:5a:41
(00:1b:53:84:5a:41)
Internet Protocol, Src: 10.94.145.201 (10.94.145.201), Dst: 10.94.22.74
(10.94.22.74)
Transmission Control Protocol, Src Port: http (80), Dst Port: nmsigport
(2839), Seq: 1, Ack: 483, Len: 191
Hypertext Transfer Protocol
HTTP/1.1 401 \r\n
Request Version: HTTP/1.1
Response Code: 401
Server: Microsoft-HTTPAPI/1.0\r\n
WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: Basic realm="WSMAN"\r\n
Date: Tue, 01 Jul 2008 18:29:44 GMT\r\n
Connection: close\r\n
Content-Length: 0
\r\n



Look into the following link,
http://msdn.microsoft.com/en-us/library/cc208304.aspx

It says that the webserver should respond with a WWW-Authenticate: Negotiate.
But winrm does not!
Any reason for the same.

Venkat


"Venkat_srin" wrote: