NTLM Authentication Failure, 'www-authenticate': 'Negotiate, NTLM'

1
votes

I'm writing a Meteor.JS application and need to authenticate with an NTLM server. I think I'm most of the way there; my workflow is currently as follows:

  1. Send GET request to server with NTLM Type 1 Message under 'www-authenticate' header,
  2. Receive (401) response with NTLM Type 2 Message under 'www-authenticate' header (looks like 'www-authenticate': 'NTLM TlRMTVN....'),
  3. Send GET request to server with NTLM Type 3 Message under 'www-authenticate' header,
  4. Receive (401) response with header 'www-authenticate': 'Negotiate, NTLM'.

This is where I'm confused; At step 4, I'd expect to receive a 200 OK status based off of everything I've read. However, I instead receive 'Negotiate, NTLM' in the www-authenticate header, which I'm not sure what to do about. Has anyone else experienced this with NTLM? Am I on the right track here, or is this indicative something is totally wrong?

EDIT: Before anyone asks, yes, I did see this question, but in my case, I have verified the credentials are correct. I'd like to know what exactly triggers the 'Negotiate, NTLM' header.

1
authenticationmeteorntlm
Hi @Ruben Martinez I'm developing a new service to do NTLM authentication nafiux.com/wasp if I can help you please let me knowIgnacio Ocampo
I need to do this very soon. Is there a demo or public repo available? I'd like to see how you set up meteor ntlm on windows. Many thanks!kind_robot

1 Answers

0
votes

Are you communicating with an IIS server. The 'Negotiate NTLM' headers are sent to the client by the server when both Kerberos and NTLM are possible and the server wishes to tell the client about that. If you are using an IIS server, you can try by changing the Windows authentication type to NTLM only.

Alternatively, you can enable the Request tracing module on IIS and see the requests being transferred. The log usually has sufficient data for understanding the issue.

Hope this helps.