Reference12r1:Concept Netlogon Windows Authentication: Difference between revisions
| Line 16: | Line 16: | ||
=== Login with windows password in myPBX === | === Login with windows password in myPBX === | ||
The login process using windows credentials works in two steps. First an NTLM handshake is done, involving the netlogon service on the PBX and the windows domain controller. As a result the PBX creates temporary credentials that can be used by the web application for normal login in the second step. | |||
==== NTLM handshake ==== | |||
The NTLM challenge-response mechanism is used to verify the windows password of the user against the Active Directory. For that only hash values are transmitted between the web application and the PBX. So the windows password is never transmitted or stored. | |||
[[Image:Netlogon_overview.png]] | |||
# The PBX chooses an NTLM challenge and sends it to the browser. | # The PBX chooses an NTLM challenge and sends it to the browser. | ||
| Line 26: | Line 33: | ||
# If the login was OK the PBX creates temporary credentials for the user. They consist of a random username and a random password that is associated with the user object in the PBX. That alias is sent to the web application in an encrypted message. | # If the login was OK the PBX creates temporary credentials for the user. They consist of a random username and a random password that is associated with the user object in the PBX. That alias is sent to the web application in an encrypted message. | ||
==== myPBX authentication ==== | |||
For the actual login, myPBX uses the temporary credentials that were created during the NTLM handshake. The PBX deletes the temporary credential when the user logs-out again. | |||
== Requirements == | == Requirements == | ||
Revision as of 17:08, 20 October 2015
Netlogon can be used to verify user credentials against a Windows domain controller. myPBX can use this service to allow users to login with their Windows password.
Applies to
- innovaphone devices with a PBX from version 12r1.
How it works
The netlogon service passes NTLM hashes to a windows domain controller for verification. myPBX uses the netlogon service for user authentication using windows passwords.
Connection to the domain controller
The netlogon service needs to connect to the DC. It authenticates using a computer account in the domain.
- DNS is used to retrieve the IP address of the DC (SRV record for _ldap._tcp.example.com).
- The endpoint mapper on the EC is asked for the actual port of the netlogon server on the DC.
- A connetion is established to the netlogon server. For authentication the configured computer name and computer password is used.
Login with windows password in myPBX
The login process using windows credentials works in two steps. First an NTLM handshake is done, involving the netlogon service on the PBX and the windows domain controller. As a result the PBX creates temporary credentials that can be used by the web application for normal login in the second step.
NTLM handshake
The NTLM challenge-response mechanism is used to verify the windows password of the user against the Active Directory. For that only hash values are transmitted between the web application and the PBX. So the windows password is never transmitted or stored.
- The PBX chooses an NTLM challenge and sends it to the browser.
- The web application asks the user for the windows credentials and calculates an NTLM response. The response is sent back to the PBX.
- The PBX asks the netlogon service, if the NTLM response is valid for the given NTLM challenge.
- The netlogon service forwards the request to the domain controller.
- The domain controller verifies the NTLM response. It can do so because it has access the required information that is located in the Active Directory. Then it tells the netlogon service if the login was OK.
- The netlogon service forwards the login result to the PBX.
- If the login was OK the PBX creates temporary credentials for the user. They consist of a random username and a random password that is associated with the user object in the PBX. That alias is sent to the web application in an encrypted message.
myPBX authentication
For the actual login, myPBX uses the temporary credentials that were created during the NTLM handshake. The PBX deletes the temporary credential when the user logs-out again.
Requirements
Windows domain
- A computer account for the innovaphone device with a known password.
- User authentication using NTLM must be enabled.
Device
- Firmware from version 12r1.
- Working DNS configuration.
PBX
- The usernames (Name) of the user objects in the PBX must match the Windows user name (samAccountName).