NTLM based User Authentication and SSO in Web Application

Introduction

In enterprises application which is used to solve the business problems for an organization often implemented with a number of web application for example, suppose you have an organization where there are multiple web applications e.g. HR Portal, Leave Application, Travel Application, ITSM Application, Employee Support System, Mediclaim Application etc. and organization uses Microsoft Active Directory. In this case, having separate usernames/userids and password combination for each web application will create employees to have separate credential remember for each application.

Additionally, if organization has already a user directory service available where organization maintain employee identity so having separate identity provider and IAM solution will create complexity.

In this scenario, Microsoft provides an proprietary authentication mechanism called “New Technology LAN Manager (NTLM)” which can be used for inbuild user authentication when user opens a web page from browser.

Let’s discuss the NTLM in detail in subsequent sections.

Business Needs

NTLM is a Microsoft proprietary technology which is used for web application Authentication and SSO when organization is using Microsoft Active Directory and Domain Controller for user domain and user identity management.

Let’s form the business need with below points:

• There is enterprises application in organization which composed of multiple Web Application
• Organization uses Microsoft technologies for user and identity management
• Organization doesn’t want to invest in additional IAM solution
• And there is a need to implement Web SSO

Technical Stack

NTLM is Microsoft proprietary technology so must be used for Microsoft platforms only.

To create a demonstration project which can showcase NTLM based authentication with Web Application, a Spring Boot based web application created with below tech stack:

• Java 8 (tested with Java 8)
• Spring Boot, Spring Web and Spring Web Security running on embedded Tomcat
• Waffle
• Maven as build tool
• Underlying OS must be Windows (user or server versions)

Audience

This article discuss about the Web Application authentication and SSO implementation with NTLM technology. This gives complete understanding about NTLM and its implementation with web application with use case which helps developers, architects and product owners in taking decisions for SSO and authentication implementation.

Problem

The problem statement is very simple, organization has Microsoft technologies implemented for user and identity management and need to implement authentication and SSO for internal users in organization.

Solution

Based upon the requirement defined in ‘Business Needs’ section, the one of the approach of implementation is using NTLM.

Let’s understand about NTLM before discussing about implementation and flow.

• New Technology LAN Manager (NTLM) is a set of protocols for authentication and security with Microsoft technology.
• It was introduced around 1993, and current version is NTLMv2.
• NTLM authentication work on Challenge basis for example:

A. Client sends authentication request to Host with username
B. Host provides a random number often referred as challenge to client
C. Client receives challenge and add user password and create a hash and sent to Host machine for validation
D. Host verifies the ‘password + challenge’ and provide acceptance and denial to client

• This authentication mechanism does not considered solid from security perspective as user password involved and traveled via network but it is fine for organization internal users who work on same domain
• Since there is no mutual authentication happen in NTLM and also algorithm are not full-proof so it is considered outdate even if Microsoft has released its version 2 as NTLMv2. Instead of NTLM, Kerberos is considered much secure.
• Although, it is discouraged from security perspective but due to its inbuild support from Microsoft, still it is used widely

Since Microsoft AD by default supports NTLM, there nothing to do any setup or additional configuration in AD. Only need to build own application with NTLM validation.

Let’s understand the NTLM authentication flow with below diagram:

As defined in above diagram, it is quite simple and easy to implement but is has big drawbacks like:

• From security perspective, it is considered vulnerable
• It is only supported by Microsoft technologies

Conclusion

NTLM is a choice of authentication and SSO implementation in web application where Microsoft infrastructure is used for user and identity management and users are on same domain where web application is hosted.

It is quite simple and easy to implements as NTLM is by default enabled in AD and DC and there is no need of any additional software/setup/configuration.

Based upon its dependency on Microsoft infrastructure and security vulnerability, it is recommended to choose carefully.

Instead of NTLM, Kerberos is good option for organization internal user authentication and SSO implementation in web applications.

Links of Work on GitHub

To demonstrate the NTLM implementation and user identification in web application based upon users’ login into underlying Windows operating system, a web project has been developed.

This project is based on Spring Boot framework along with Spring Web and Spring Web Security with Waffle API. The Waffle API has capability to internally communicate with AD and obtain the challenge for user identification.

Since, NTLM authentication mechanism is proprietary of Microsoft so it only works when web application host is running on Windows OS (any user or / server version) which is joined to its domain. Else, it will not be able to identify user and throw exception.

To demonstrate NTLM, checkout code from GitHub repository, build and run.

GitHub Source: https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/tree/main/spring-waffle

• Open link on browser http://localhost:800/test
• It will open a popup (this popup will come optionally based upon browser installation, check with MS Edge, popup will not be coming)like:

• Provide underlying OS username and password which you used while login in OS e.g. domain/userx and its password. After providing username and password, click on ‘Sign In’ and it will validate and provide result as:

References

• Microsoft NTLM — https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm#:~:text=Windows%20Challenge%2FResponse%20(NTLM),and%20on%20stand%2Dalone%20systems.&text=NTLM%20uses%20an%20encrypted%20challenge,user's%20password%20over%20the%20wire.
• NTLM Overview — https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
• NTLM — https://www.ionos.com/digitalguide/server/know-how/ntlm-nt-lan-manager/
• Crowdstrike — https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/
• GitHub Source — https://github.com/siddhivinayak-sk/jwt-openid-oauth2.0-keycloak-kerberos-ntlm/tree/main/spring-waffle

About the Author

Sandeep Kumar holds Master of Computer Application degree working as Java developer having 10+ years of working experience. He has experience design and development of enterprises applications in domains like education, content, laboratory, and banking; got various appreciation for his solutions including spot appreciation for Glassfish to JBoss migration project. He secured Google Cloud Developer certificate and participated into OCI trainings. He is a part of HCL-ERS platform as Sr. Lead developer.