Reference13r1:Concept Netlogon Windows Authentication
Users can login-in to myApps or myPBX using their windows password. The PBX uses NTLM over the netlogon protocol for verifying windows passwords against the Active Directory.
- innovaphone devices with a PBX from version 13r1 (see other versions of this article for previous versions)
- innovaphone myApps (all platforms) or innovaphone myPBX (Windows/Browser).
How it works
Connection to the domain controller
The netlogon service of the PBX needs to connect to the DC. It authenticates using a computer account in the domain.
- DNS is used to retrieve the IP address of the DC (SRV record for _ldap._tcp.example.com).
- The endpoint mapper on the DC is asked for the actual port of the netlogon server on the DC.
- A connetion is established to the netlogon server. For authentication the configured computer name and computer password is used.
Login with windows password in myApps / myPBX
The login process using windows credentials works in three steps.
- NTLM authentication
First an NTLM handshake is done, involving the netlogon service on the PBX and the windows domain controller. NTLM is a challenge response mechanism. The web application calculates a hash value of the entered windows password and a challenge given by the PBX. The PBX asks the Windows server, that also knows the password, to verify the hash. In the end the PBX knows if the entered password was correct. Also the PBX and the web application have a shared secret, called the NTLM session key, that can be used for encryption.
- Temporary credentials
The PBX creates temporary credentials for the login and stores them at the user object. After that it encrypts the credentials using the NTLM session key and sends them to the web application.
For the actual login, myPBX/myApps uses the temporary credentials. When the user logs out the credentials are deleted both in the PBX and the Browser.
- The windows password is just used to calculate hashes. It is never stored or transmitted over the network.
- The temporary credentials are stored in the PBX at the user object and the DOM storage of the browser. So the user doesn't have to enter the windows password again, if the PBX or the browser is restarted.
- On logout the temporary credentials are deleted in the DOM Storage of the browser and in the PBX. So the next time the user is asked again for the windows password.
- Windows domain
- A computer account for the innovaphone device with a known password.
- User authentication using NTLM must be enabled.
- Firmware from version 13r1 or later.
- Working DNS configuration.
- The usernames (Name) of the user objects in the PBX must match the Windows usernames (samAccountName).
- Netlogon authentication must be enabled on the PBX/Config/Authentication page in the advanced UI.
- TCP connections from the PBX to the domain controller must be possible.
Please note that the Netlogon protocol is used between the PBX and the AD only (using the DCE endpoint mapper on TCP port 135 and another dyncamic TCP port). The NTLM information is conveyed between the PBX and the myApps/myPBX client with HTTPS as usual.
You will need a computer account in your Active Directory for the PBX netlogon function for each PBX you configure netlogon on. You must create a new, otherwise unused computer account as described below. We have seen issues when such account is used otherwise or used for more than one PBX.
Create a computer account with known Password
Please note: the name of the new computer account must not be longer than 15 characters!
- Create the new computer account
- With Powershell CLI
- Use Powershell on Domain Controller to create Computer Account
PS: C:\> Import-Module ActiveDirectory
PS: C:\> New-ADComputer -Name "Computer-Account-Name" -AccountPassword (Read-Host -AsSecureString "AccountPassword")
- You will be prompted for the computer account's password
- Note: if the New-ADComputer command is not available, refer to
- Use Powershell on Domain Controller to create Computer Account
- Manually in the windows domain (not recommended, too complicated)
- See Example, Sample 2
- Configure the netlogon service on the innovaphone device on page Services/Netlogon/Config.
- Activate netlogon authentication on page PBX/Config/myPBX or PBX/Config/Authentication
Depending on the configuration on page PBX/Config/Authentication users can use their PBX user password, their Windows password or both for myPBX/myApps login.
- Only a single windows domain is supported.
- Currently NTLMv1 is used. Since NTLM hashes are not very secure, HTTPS should be used for the communication between the client and the PBX.
- The windows session is not reused for authentication. The user has to enter the windows password again after logging out.
Tracing and logging
The log gives basic information about up and downtime of the service and the NTLM handshakes that are done.
LOG NETLOGON 0 Service up LOG NETLOGON 0 Authentication for 'exampleuser' failed (error c0000064) LOG NETLOGON 0 Service down
The trace contains more detailed information for tracking down problems and all the exchanged protocol messages. The protocol messages have been removed in the following example for better readability.
NETLOGON: state ABORT NETLOGON: state RECONNECT NETLOGON: starting Domain(example.com) Computer(PBX-NETLOGON) ComputerPassword(XXX) NETLOGON: state DNS NETLOGON.0 -> dns.0 : DNS_GETHOSTBYNAME example.com ctx=0x0 flags=0x1 port=0 dns.0 -> NETLOGON.0 : DNS_GETHOSTBYNAME_RESULT ctx=0x0 result=0 addr=10.0.05 port=389 NETLOGON: state EPM_CONNECT NETLOGON: connect to endpoint mapper at 10.0.05:135 (dc-w2k8.example.com) NETLOGON: state EPM_BIND_HEAD NETLOGON: state EPM_BIND_BODY NETLOGON: state EPM_MAP_HEAD NETLOGON: state EPM_MAP_BODY ........ NETLOGON: state EPM_DISCONNECT NETLOGON: state NETLOGON_CONNECT NETLOGON: connect to netlogon_service at 10.0.05:49159 (dc-w2k8.example.com) NETLOGON: state NETLOGON_BIND_HEAD NETLOGON: state NETLOGON_CHALLENGE_HEAD NETLOGON: state NETLOGON_CHALLENGE_BODY .... NETLOGON: state NETLOGON_AUTHENTICATE_HEAD NETLOGON: encryption parameters ClientChallenge(e5cb2fd5f5218531) ServerChallenge(7338e9e65867e383) SessionKey(0978a50b44003835ac420ae6e69dfa89) NETLOGON: state NETLOGON_AUTHENTICATE_BODY NETLOGON: state NETLOGON_ALTER_HEAD NETLOGON: state NETLOGON_ALTER_BODY NETLOGON: state NETLOGON_DUMMYROUTINE_HEAD NETLOGON: state NETLOGON_DUMMYROUTINE_BODY NETLOGON: state CONNECTED NETLOGON.0 -> NETLOGON.0 : NETLOGON_NTLM(0, exampleuser) challenge: 86fee2c0fa1e6ee6 nt_response: 58881d894b81835edd0bfe758e468a0a0cd553e8c9f7a702 lm_response: 09e25853e618688157c0faadb0861818f367056548ea9496 NETLOGON: start authentication Username(exampleuser) Challenge(86fee2c0fa1e6ee6) NtResponse(58881d894b81835edd0bfe758e468a0a0cd553e8c9f7a702) LmResponse(09e25853e618688157c0faadb0861818f367056548ea9496) NETLOGON: state AUTHENTICATE_HEAD NETLOGON: state AUTHENTICATE_BODY d... NETLOGON: authentication failed (error c0000064) NETLOGON: state CONNECTED NETLOGON.0 -> NETLOGON_SOCKET.44 : SOCKET_RECV(16) NETLOGON.0 -> NETLOGON.0 : NETLOGON_NTLM_RESULT(0, FAILED, c0000064, )
You can also use the test page at Services/Netlogon/Test. If you receive an error indication "authentication ok, invalid session key" then you are most likely using the same netlogon computer account from more than one innovaphone device (see #Configuration above).