Reference12r1:Concept Netlogon Windows Authentication: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Line 24: Line 24:


;Login:
;Login:
For the actual login, myPBX uses the temporary credentials. Additionally it stores them in the DOM storage of the browser.
For the actual login, myPBX uses the temporary credentials. When the user logs out the credentials are deleted both in the PBX and the Browser.


[[Image:Netlogon pbx sessions.png]]
[[Image:Netlogon pbx sessions.png]]

Revision as of 15:11, 22 October 2015

In version 12r1 users can use their windows password for logging-in to myPBX. myPBX uses NTLM over the netlogon protocol for verifying windows passwords against the Active Directory.

Applies to

  • innovaphone devices with a PBX from version 12r1.

How it works

Connection to the domain controller

The netlogon service of the PBX needs to connect to the DC. It authenticates using a computer account in the domain.

  1. DNS is used to retrieve the IP address of the DC (SRV record for _ldap._tcp.example.com).
  2. The endpoint mapper on the DC is asked for the actual port of the netlogon server on the DC.
  3. A connetion is established to the netlogon server. For authentication the configured computer name and computer password is used.

Login with windows password in myPBX

The login process using windows credentials works in three steps.

Netlogon overview.png

NTLM authentication

First an NTLM handshake is done, involving the netlogon service on the PBX and the windows domain controller. NTLM is a challenge response mechanism. The web application calculates a hash value of the entered windows password and a challenge given by the PBX. The PBX asks the Windows server, that also knows the password, to verify the hash. In the end the PBX knows if the entered password was correct. Also the PBX and the web application have a shared secret, called the NTLM session key, that can be used for encryption.

Temporary credentials

The PBX creates temporary credentials for the myPBX login and stores them at the user object. After that it encrypts the credentials using the NTLM session key and sends them to the web application.

Login

For the actual login, myPBX uses the temporary credentials. When the user logs out the credentials are deleted both in the PBX and the Browser.

Netlogon pbx sessions.png

Requirements

Windows domain
  • A computer account for the innovaphone device with a known password.
  • User authentication using NTLM must be enabled.
PBX
  • Firmware from version 12r1.
  • Working DNS configuration.
  • The usernames (Name) of the user objects in the PBX must match the Windows user name (samAccountName).
  • Netlogon authentication must be enabled on the myPBX configuration page.
Network
  • TCP connections from the PBX to the domain controller must be possible.

Configuration

  • Create a computer account in the windows domain and set a password using an appropriate tool.
  • Configure the netlogon service on the innovaphone device on page Services/Netlogon/Config.
  • Activate netlogon authentication on page PBX/Config/myPBX.

Usage

If netlogon is enabled, users can use both PBX passwords and windows passwords.

Security considerations

  • Since NTLM hashes are not very secure, HTTPS should be used for the communication between myPBX and the PBX.

Tracing and logging

The log gives basic information about up and downtime of the service and the NTLM handshakes that are done. 

LOG NETLOGON 0 Service up
LOG NETLOGON 0 Authentication for 'exampleuser' failed (error c0000064)
LOG NETLOGON 0 Service down

The trace contains more detailed information for tracking down problems and all the exchanged protocol messages. The protocol messages have been removed in the following example for better readability. 

NETLOGON: state ABORT
NETLOGON: state RECONNECT
NETLOGON: starting Domain(example.com) Computer(PBX-NETLOGON) ComputerPassword(XXX)
NETLOGON: state DNS
NETLOGON.0 -> dns.0 : DNS_GETHOSTBYNAME example.com ctx=0x0 flags=0x1 port=0
dns.0 -> NETLOGON.0 : DNS_GETHOSTBYNAME_RESULT ctx=0x0 result=0 addr=10.0.05 port=389
NETLOGON: state EPM_CONNECT
NETLOGON: connect to endpoint mapper at 10.0.05:135 (dc-w2k8.example.com)
NETLOGON: state EPM_BIND_HEAD
NETLOGON: state EPM_BIND_BODY
NETLOGON: state EPM_MAP_HEAD
NETLOGON: state EPM_MAP_BODY                        ........        
NETLOGON: state EPM_DISCONNECT
NETLOGON: state NETLOGON_CONNECT
NETLOGON: connect to netlogon_service at 10.0.05:49159 (dc-w2k8.example.com)
NETLOGON: state NETLOGON_BIND_HEAD
NETLOGON: state NETLOGON_CHALLENGE_HEAD
NETLOGON: state NETLOGON_CHALLENGE_BODY                                     ....            
NETLOGON: state NETLOGON_AUTHENTICATE_HEAD
NETLOGON: encryption parameters ClientChallenge(e5cb2fd5f5218531) ServerChallenge(7338e9e65867e383) SessionKey(0978a50b44003835ac420ae6e69dfa89)
NETLOGON: state NETLOGON_AUTHENTICATE_BODY  
NETLOGON: state NETLOGON_ALTER_HEAD
NETLOGON: state NETLOGON_ALTER_BODY  
NETLOGON: state NETLOGON_DUMMYROUTINE_HEAD
NETLOGON: state NETLOGON_DUMMYROUTINE_BODY
NETLOGON: state CONNECTED
NETLOGON.0 -> NETLOGON.0 : NETLOGON_NTLM(0, exampleuser)
   challenge:   86fee2c0fa1e6ee6
   nt_response: 58881d894b81835edd0bfe758e468a0a0cd553e8c9f7a702
   lm_response: 09e25853e618688157c0faadb0861818f367056548ea9496
NETLOGON: start authentication Username(exampleuser) Challenge(86fee2c0fa1e6ee6) NtResponse(58881d894b81835edd0bfe758e468a0a0cd553e8c9f7a702) LmResponse(09e25853e618688157c0faadb0861818f367056548ea9496)
NETLOGON: state AUTHENTICATE_HEAD
NETLOGON: state AUTHENTICATE_BODY                                     d...            
NETLOGON: authentication failed (error c0000064)
NETLOGON: state CONNECTED
NETLOGON.0 -> NETLOGON_SOCKET.44 : SOCKET_RECV(16)
NETLOGON.0 -> NETLOGON.0 : NETLOGON_NTLM_RESULT(0, FAILED, c0000064, )
Retrieved from "https://wiki.innovaphone.com/index.php?title=Reference12r1:Concept_Netlogon_Windows_Authentication&oldid=39427"