August 31, 2006 (Australian Time)

Today:

1. Saints Row should become available locally for the Xbox 360. Liked the demo. On the subject, did anyone try out the Just Cause demo from Marketplace? That was really over-the-top latin american fun! I wonder if it’ll have Live capabilities, so I can scream things like “Miguel! You keeeled my braaathaaaar!” at my Argentinian friend*.

2. XNA Studio (that’s the one where you get a game development kit for C# that lets you sign up to test the game on the 360 as well) should become available. See http://www.microsoft.com/xna/ .

3. Always make three points, so, um… there was another game coming out at the same time, but I’ve forgotten what it was, or it’s been pushed back, or something. Dead Rising is due on the 14th. Muted cheer.

 

* former friend

whose name is not Miguel

and who didn’t (to my knowledge) keel my braaathaa.

I’m officially declaring Spring

It’s sunny. It’s warm. There’s a light breeze. Birds are chirping happily as the trees rustle softly.

They’ve fertilized the gardens in the townhouse block where I live. As soon as I step out of the front door, I’m assailed by the odour (Smells Like Excrement Because It IS Real Excrementâ„¢! Now With Added Bone!)

So, it’s another big call, but I’m declaring Spring. Sure, it’s a week early and probably a harbinger of impending thermal doom, but it’s great for now. Mmmm. Sunny.

Where izzy?

Sure – I post about how I got my blog back, and then stop posting. Obvious, really.

Anyway, I’ve been off with what the local tree doctor called conjunctive eye tusk, which is where one eye tries to grow a tusk, and becomes a bit red in the process. Pin Kai, he also called it.

Tusks/Kai are apparently very contagious, so I won’t be appearing at Tech.Ed Sydney this year (except possibly in an unofficial drop-in-and-say-hello-while-contained-in-a-plastic-bubble capacity). Bummer!

Windows Live Writer

Finally, we can talk about Windows Live Writer.

I don’t really have a lot to say except: it gave me back my blogs, and stoked my desire to write something – rather than the silent dread of fighting a (*!%!_ browser-based HTML editor again.

After it’s set up, it’s a WYSIWYG editor, in a more meaningful fashion than most other blog tools I’ve used over the last few years.

Don’t think for a moment that it’s just for Spaces – while it does work with Spaces (I’m told), I’ve been using it against Community Server and WordPress for a while, with excellent results.

I try to avoid spouting superlatives at our supremely stupendously sexy software on this blog, but this is one of those times that my jaw hit the desk, and I’m paying that part forward.

Consequently, I’m off sick today nursing my jaw injuries*, but that doesn’t mean you shouldn’t all suffer with me.

If you have a blog, and you’re not actively in love with your blogging tool, you really should give this a try and see if it makes your life easier!

Two easy ways to pick Kerberos from NTLM in an HTTP capture

When tracing authenticated HTTP traffic, you’ll often see a Windows client use the Negotiate protocol to authenticate itself to a Windows web server.


In the past, I’ve surprised my friends and amazed casual onlookers by being able to instantly surmise which authentication protocol was actually in use. While that’s a useful skill to have, it’s one I’m prepared to share – at great personal expense and possibly the cost of a few free dinners – with you, dear reader.


First up: what’s this Negotiate business? Negotiate is actually an umbrella authentication package that covers the NTLM and Kerberos authentication protocols.


If you’re (that’s “you” in the “your computer” sense of the word) not a Windows domain member, Negotiate will negotiate NTLM only. If you’re a domain member and everything’s going fantastically (thanks for asking), it’s Kerberos. But for a variety of reasons, it might end up being NTLM.


Negotiate might be upgraded in the future to support more than just NTLM and Kerberos, so when that happens, you can probably ignore the advice in this article!


For now, there are two easy ways to work out when Negotiate means Kerberos or NTLM:


1. Number of round-trips to authenticate a client


Not counting the initial anonymous GET request:



  • Kerberos uses one round trip to authenticate a client
  • NTLM has a “challenge” phase that adds a second round trip

The shot from Fiddler below shows responses from the server, each number represents a client request, and the next column is its corresponding response code. The 200s are the successful completion of each authentication sequence.


Request pairs 1 and 2 are a successful Kerberos authentication. Request pairs 3 through 5 are using NTLM because http/fakename isn’t a registered SPN in AD. Using Negotiate, if Kerberos authentication fails, NTLM may be used as a fallback.


I forced NTLM by using a DNS hostname for which a kerberos SPN was not registered, which is actually a realistic simulation of the conditions in which double-hop authentication doesn’t work.



For the setup-curious, the setup for the /negotiatethis/ virtual directory is as below:


 


2. Size of the Negotiate blob


Kerb tickets are much bigger than password hashes. See if you can spot the difference below! (headers trimmed for compactness)


A. NTLM



——————————————————————
3. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fakename

HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
——————————————————————
4. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fakename
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

HTTP/1.1 401 Unauthorized
Content-Length: 1539
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAFgomiCQs+k8e625YAA
AAAAAAAAGIAYgA+AAAABQLODgAAAA9EAEkAQgACAAYARABJAEIAAQAMADIAMAAwADMARA
BDAAQADgBkAGkAYgAuAGQAbwBtAAMAHAAyADAAMAAzAEQAQwAuAGQAaQBiAC4AZABvA
G0ABQAOAGQAaQBiAC4AZABvAG0AAAAAAA==

Date: Wed, 02 Aug 2006 06:27:07 GMT
——————————————————————
5. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fakename
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHwAAAAYABgAlAAAAAYABgBIAAAA
GgAaAE4AAAAUABQAaAAAAAAAAACsAAAABYKIogUCzg4AAAAPRABJAEIAQQBkAG0AaQBuA
GkAcwB0AHIAYQB0AG8AcgAyADAAMAAzAE0ARQBNAEIARQBSAK5mqZs/4zeTAAAAAAAAAA
AAAAAAAAAAADlpPfISbVP+br+jiEvDlc8jTU0LwwgJGw==


HTTP/1.1 200 OK
Date: Wed, 02 Aug 2006 06:27:07 GMT
Server: Microsoft-IIS/6.0
Content-Length: 56
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSATTTAST=NGFNNCCAMIKCAMPIPKDAGAGE; path=/
Cache-control: private
——————————————————————–


Image reprinted for easy reference – above were 3, 4 and 5, the NTLM set- below are 1 and 2, Kerberos.


B. Kerberos



——————————————————————
1. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: 2003dc


HTTP/1.1 401 Unauthorized
Content-Length: 1656
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Wed, 02 Aug 2006 05:29:23 GMT

——————————————————————
2. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: 2003dc
Authorization: Negotiate YIIJvwYGKwYBBQUCoIIJszCCCa+gJDAiBgkqhki
C9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCYUEggmBYII
JfQYJKoZIhvcSAQICAQBugglsMIIJaKADAgEFoQMCAQ6iBwMFACA
AAACjggPSYYIDzjCCA8qgAwIBBaEJGwdESUIuRE9NohkwF6ADAgE
CoRAwDhsESFRUUBsGMjAwM2Rjo4IDmzCCA5egAwIBF6EDAgEE
ooIDiQSCA4VWCBvPweTzPp0+99JbpMcHxGmMsxsZRR+CX8MhRM
YXjVy1oLGO0yGRQzVOoPUxzAB3G97FbBZF6/psJ036bkW/K6nZs6U
7vC/pu/Vw83hpUWogKhQJRrb8fuANGgqRnxKPMCsQEqqcaZpEJCR
eqzuhzH9BHPHVH+uzRdkinp9cw1UrlsKm2t/ipxfnTXarUxKg4+xLXQ
qPkh/UsntWH2zesAbmXVIRbJsu48WQRlVflodTXFqi+3E0ITi52+pzH
iz46RGYUsDXohJD43CpJLV5TlSPk0etHSAPj1igqLm9jBGjNUA36HiFq
NNDwtNdw1g3u4RNOSqHg7yrbw72SvOUyDoZeizqh6Zxq3HUzN8LU
w12pNunHeU/WJZff5uGjHZSyioDrEOk7vI134GYh1B4zWsXe8LZ6W0
NaG+qzC3O1qgWDkrlU+rc0159nqqcAsb4xtmDylg6Dre8HaGq1/PZc
0BWL7GT+NFBSP8Dk1KZZL0mQfLKiz0wj14xCa6yd8Os5JZCL6mEKIcsV
C+HzdYXxgbIGSTnBnVcYg1ip8NM9tDRA24KfAe9kyQRggSoRY/AGn7n
sQ2szpuma4+mdseWYr401FO+uuuThsMJ1+/nnRd8fjJyt5Vk+5xoUL
b0bgl6GVidNrYlR4NT65WWIzpx2140s+ZoYnIXKwx9xrTndpzouVYZ74
HF/SSmXKbjvzbCp9rK0k/HqKecYb/Ib+FQurhy0ahcPVW20rrKVGHkmz
NLsmcluiCeQFCsD744f4OlUSUfuGA1wrxJUKkaIlyFrNYWSnMDnZ4S5
QmpTna2fDUn/ohGZ+y2Q6QBeTckcn9UyDLsBJm29O+UG69UAI26uF
QkHFRF5gk5ZGC3uc3x6XGV3KcncYiPFyLmnVd93gi1NrOG47gFGCPboA
452ojvu6QyeMooRbS79hsdKEpJFqzm/o1CEWrHCm5FcvR1BMlcXjPJi
Um84dWioq0/Rq6R+bKL7t54GRmssA8BiXD7bCKHnk+nOXxWhcSD+
SrVFIw+zHOIYk+U0vAlo99GK71zbvomXQkLw6gUteKhsCOXekj0qQjEN
+q+cwDRFsaM1uVScdxxquFq8Uyfb+JctVMFe5+ZetnU3XrhgqY9PqltI
GIkEoMIf3U58mang5zB4Llq9zxWYjaNpel4kjET1d+kGP0+zko5GVCjm
uUirtpOAT9GQS6SpIIFezCCBXegAwIBF6KCBW4EggVq9xTwR89MeRb
w5Ob35WJf7EKv72H9cYIF4shVdzhwdDhcKIbPVMXfXPb0rsEcbmZmt+
HmqlVEewQTTDsfJMquiB2d2JKn4xdpU/A8h4AOts2EdpqcKMDKFRsn
viPWUOC+YQ7TEEco/I+YMK5RC2TV7h2fCEuN+16PEGZVsQ2jZKvcsro9
0DU92DjsLSW+6JZqMuK6ED4XEi/2FbNcsAr1z8FPnYuHgRaAmqZvhdL
XabUgk9d6lekliZqbnhErSsalonHI85DHT8Yl1rKMgU0+apXqA3hlblLE
/xWh/uMJeuymJ03c0DliOYWDPgGdh6JExuHysV8xsEnD1gCE/ScBlbu
8bd/9BjiLgHOttQq4uI3UqNhAQgRVXYy/24SE4RC/7NrPXYKkDno/WM
oFjXYMCRL1j2OmSuC1Cybgpkm5P4bXroRF6XGYX3zmaFaoOI8DK8I+H
x7sN1j6TMDwvrS6FxjF3Jrio/FnX8icI/zEa1SJ2940jrYfZonOuk8nr3vcsD
U7kounX2XH/IzzDm5OAYZQ3WwKs1nR6ix1Y/4Ov1CR4fDkkMjT5VjXz+
AWywvwuSOfk9iHqSW7gE+/t5fFEwTxB8nOrKOt7LC2QfV5BDwXQrPfsx
rrSvin3b3vMOMxxNieBQWzu9rxSljVo5x8sZ6jYIOZSlrIB81US8POFeum
VGd3UGZnzOfKFdDFbQp1Q3ybiFarA+BrOQ+nvY3NlntBJVVL3LO6ZY+h
Mt02ZQKm4Fpx52wt3YOTh6GnhEbmQ/23v5Tr8GwSlKi2kxo6lIKYxeOE
Buro1Njl/9krtRuKovkPFuwR/UOo8gBDVEos7RkkdiLA8H6sTxAi4B/Kk
GrWDJgpWHE7995gTZVrnHISY8NLs254JBQoGpNFJ6htAMCPjk89mJnh
WJSeBNsZ1s9uvnne3t3zJJiMabO+tZLOUQZ/V5+1NpKUkZ/PAD82qCLf
sXXq3j/L3UNkmj3IFlkAL/4A3X+HBnTEtkcz19qHWgyl9me9uvx9kPWcF
7XAj5LJ638w46GNCCuVMZ74VcIvxkQZ2b5peoxh3vGNskBtk7/PnHSCR
YUPqA4VrhZn86P0J/u4qON3OXdJBF2FAPhGX09TiINw67v3PRuTLo6W
UFTPvAGXMlWssDMgvfGFJIyBKoLQqje0YdlVCv9KTSMKMGv5lGHgsZa
1cRvDvxZ0S/jp1D2lqtAy5Ih3rOmzjXRogENtkLpb6H0jsNh0si/5lVpMW
umi1IGXjW+QlgHQExahvBu5D7qvYqMkPyDODatHDJoyNd05MUM8Cw
jMKKnNGAvGXOkloSIrBxuSBclZcwlg8Xrr/XIMNaeO1dX72F36KABOk85
EQBKwq6lZCKIICq1HxO2b3+Gt7I8fYBP8yuX/0uLP0wMBJPSlUt/qozEt0/
gK4t2IVg/0EjNVpNEZxvzDX2KbNNBo+Vkb7TCgS7+yYi1mzDAJ1XYRxx5S
tJ55Qo5p0nqqqmgo26smy7xY0bpOXVGdGF1n3C6yeedRrOaSkMqLVm
UAvrFtbJyEryxEZt1NXZl91yCWNt67pvSjRSMpE7yWC0/zWLRPYmfBUgis
I8DmQr9hBsoNJypC3HzUf0FRHQG9yc/ko7GSPEPXHP+eZFlcY+8ZhZrgl
IvgIl6+tc2b8rq+rwQYCh2q3CJt2lC7FaFCl4O2sv6GB8KDkT9V73VP40dX/
7FpiqDntDp9Tj3ihjzrREKeRwMuSHIrtT2dXzipK/hveEre3T+F3hU9NTSj
qCRr4wMSkd8SQzfL2XBL2SlMEHqV9o7l+G44XSVARc9YVdzDcxLvswd6
Ug1ej6D7KbcXAHZi6VdWEKGPxv5SVDLf


HTTP/1.1 200 OK
Date: Wed, 02 Aug 2006 05:29:23 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate oYGfMIGcoAMKAQChCwYJKoZIgvcSAQICooGHBIGEYIGBBgkqhki
G9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqADAgEXolsEWQLu3qmHQaYEPcEIXKRwn4w0wieU6
w71tqGzllrZMCeBeCDgLaUNmnSfA8SEYCC27ZNJ/wxx3+W4Q3JPy1VmG+lQ6JQtF1nZ6HOZYvnkup6
926v1mgofc7ss

Content-Length: 56
Content-Type: text/html
Cache-control: private
——————————————————————–


Using Fiddler, it can be a little tricky to identify the difference in GET request size from the Headers view, but Raw shows you what’s what, and how long it is!


My Kerberos back-catalogue.


[Manual Trackbacks]
Ken Schaefer: Two easier ways – using “real” network captures and Ethereal/Wireshark (eg, a network sniffer that understands the authentication blobs and just outright tells you), and the Event Logs.

Microsoft ISA Server 2006: Trial Software (RTM) Out Now!

Yep, forget the RC – ISA Server 2006 is done, and the trial version is now available for download (requires registration)!

The fully functional trial software offers you the opportunity to experience the new features and functionality of ISA Server 2006. The trial automatically expires 180 days after you install it on your servers.

Link to Microsoft ISA Server 2006: Trial Software

There’s general ISA Server 2006 information here.

Gogeddit!