4.1 Server Examples

  • Article

This scenario shows the messages exchanged when a web client requests an access-protected document from a web server using a GET method request at the URL: http://www.nowhere.org/dir/index.html.

 C: GET dir/index.html

The first time the client requests the document, no Authorization header is sent; so the server responds with the following.

  
 S: HTTP/1.1 401 Unauthorized
 S: WWW-Authenticate: NTLM

The client obtains the local user credentials by using the [MS-NLMP] security package and then generates a new GET request to the server. The request contains an Authorization header with an NTLM NEGOTIATE_MESSAGE (as specified in [MS-NLMP] section 2.2.1.1) in ntlm-data.

  
 C: GET dir/index.html
 C: Authorization: NTLM tESsBmE/yNY3lb6a0L6vVQEZNqwQn0s8Unew

The server decodes the ntlm-data that is contained in the auth-data2 base64-encoded data and passes this to its implementation of [MS-NLMP]. If the server accepts this authentication data from the client, it responds with an HTTP 401 code (for more information, see [RFC2616] section 10.2) and a WWW-Authenticate header with an NTLM CHALLENGE_MESSAGE (as specified in [MS-NLMP] section 2.2.1.2) in ntlm-data.

  
 S: HTTP/1.1 401 Unauthorized
 S: WWW-Authenticate: NTLM yNY3lb6a0L6vVQEZNqwQn0s8UNew33KdKZvG+Onv

The client decodes the ntlm-data that is contained in the auth-data base64-encoded data and passes this to its implementation of [MS-NLMP]. If this authentication data is valid, the client responds by reissuing the GET request with an Authorization header that contains an NTLM AUTHENTICATE_MESSAGE (as specified in [MS-NLMP] section 2.2.1.3) in ntlm-data.

  
 C: GET dir/index.html
 C: Authorization: NTLM kGaXHz6/owHcWRlvGFk8ReUZKHo=QEZNqwQn0s8U

The server decodes the ntlm-data that is contained in the auth-data2 base64-encoded data and passes this to its implementation of [MS-NLMP]. If the server accepts this authentication data from the client, it responds with an HTTP 2xx code (for more information, see [RFC2616] section 10.2) indicating success. The requested content is also included in the server response.

Note The base64 values used previously are for illustrative purposes only and do not represent valid base64-encoded NTLM messages.