{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 手持菜刀,她持情操 的问题《Suppress NTLM Authentication Dialog》','https://www.manongdao.com/q-337882.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Code
I have created a login page that combines Forms Authentication with Integrated Windows Authentication.
public partial class Login : System.Web.UI.Page
{
// http://www.innovation.ch/personal/ronald/ntlm.html
// http://curl.cofman.dk/rfc/ntlm.html
// http://blogs.msdn.com/b/chiranth/archive/2013/09/21/ntlm-want-to-know-how-it-works.aspx
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
if (Request.Headers["Authorization"].IsNullOrEmpty())
{
Response.StatusCode = 401;
Response.AddHeader("WWW-Authenticate", "NTLM");
Email.SendMailToDebugger("Auth", "No Auth");
//Response.End();
}
else if (Request.Headers["Authorization"].StartsWith("Negotiate"))
{
Response.StatusCode = 401;
Response.AddHeader("WWW-Authenticate", "NTLM");
Email.SendMailToDebugger("Auth", "Negotiate Auth");
Response.End();
}
else if (Request.Headers["Authorization"].StartsWith("NTLM"))
{
string base64text = Request.Headers["Authorization"].Remove(0, 5); //Remove NTLM<space>
byte[] bytes = Convert.FromBase64String(base64text);
byte typebyte = bytes[8];
if (typebyte.ToString("X2") == "01") //type 1 message received
{
//send type 2 message
List<byte> responsebytes = new List<byte> { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 00, 0x02, 0x02, 0x00, 0x00, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
string type2message = Convert.ToBase64String(responsebytes.ToArray());
Response.StatusCode = 401;
Response.AddHeader("WWW-Authenticate", "NTLM " + type2message);
Email.SendMailToDebugger("Auth", "Type 1 Received, Type 2 Sent");
Response.End();
}
else if (typebyte.ToString("X2") == "03") //type3 message received
{
var dv = Database.GetDataView("select UPPER('termana'||REPLACE(P.EMAIL,'@termana.com','')||p.init) displayname, 'termana\\'||REPLACE(P.EMAIL,'@termana.com','') username from tercons.phonebook p where P.COMPANY_ID=40");
string username = ""; //magic to get the username from the type3 response
Email.SendMailToDebugger("Auth", "Type 3 Received, logging in: " + username);
FormsAuthentication.RedirectFromLoginPage(username, false);
}
else
{
Email.SendMailToDebugger("Auth", "Unknown Type Received");
}
}
else
{
Email.SendMailToDebugger("Auth", "Unknown Authentication Received: " + Request.Headers["Authorization"]);
}
}
}
}
Question
This seems to work fairly well so far. It properly logs in the user if they support IWA. If their browser isn't configured to accept IWA, I want to fall back on Forms Authentication. Unfortunately, what I see happening is if the browser isn't configured to accept IWA, it popups up the ugly NTLM authentication dialog (looks like the Basic Dialog). How do I get that to not appear?
Background
The primary reason I'm doing this is because the same site may be accessed via desktop users (on the domain) or mobile (iPhone/Windows Phone). And iPhone doesn't support saving passwords for the NTLM authentication, which is a hassle for my users.
To Test
If you want to test this code in your own environment, configure a site for forms authentication, make sure Anonymous authentication is checked in IIS, not IWA.
Also
This code is not fully tested/fleshed out. If you're a random person that stumbles on my question, don't assume it's perfectly secure and then go implement it on your site. This code is in the early development stages. That said, if you want to leave a comment saying how to improve it, feel free.
Update
I have updated my code and question to reflect the fact that I managed to get it so that when the user cancels the ugly authentication dialog they're able to log in with forms authentication. But I still want that ugly dialog suppressed.
I think you're getting confused between the concepts of NTLM/IWA authentication, and the niceties of having a browser automatically log you in for a trusted site. If I was to rephrase this question, you're actually asking if the server can detect if a browser will automatically log someone in without asking for credentials using IWA, before you offer IWA as a method of authentication. The answer to this is a resounding "no." The zones and the security settings which control this behaviour are entirely on the user's machine.
Now, if you're in an intranet environment and you can recognize certain IP address ranges as belonging to machines that you already know will perform automatic IWA, then sure, that works. It sounds to me like you're trying to generalize, and for that, you cannot make this work.
I suspect the unwanted popup stems from the initial request NOT containing an
Authorizationheader until the 401 is received by the browser. Instead, you need to choose to avoid issuing the 401 if you predict forms authorization is required.Consider this approach:
Code in Global.asx would be along these lines.
Handle Application_AuthenticateRequest explicitly:
Where IsAutomation determines whether you want forms auth or not.
In my case, IsAutomation looks like this:
Lastly, you need to trap the 302 redirect and issue a NTLM challenge: