[Typo3-dev] S: Sponsoring Windows authentification in TYPO3

Robert Fink robert.fink at gmx.net
Tue Aug 31 10:39:34 CEST 2004


Hi!

>> What do mean by "makes the NTLM auth with the client"? The webserver
>> does authentication against the browser (client)? Duh?
> sorry, sound strange. In fact the extension sends the browser some headers
> wich forces the browser to send back all needed information. (Un)fortunatly
> the the password is crypted (NT /LM) and i haven't figured out how to
> decrypt ;-). So today the extension just gets the windows logged in username
> and checks if it exists in the fe_users.
> There are several options to make an auth with the password as I mention in
> one of the last postings

So this extension does _not_ provide _any_ authentification.
NTLM and/or Kerberos authentification must use the authentification server 
(ADS for example).

Image this: The network Bert user uses his personal network sniffer to catch 
the "authentification" packet sent by Annelores browser. He can obviously 
easily pretend to be any trusted user he wants to be. If Bert is intelligent 
he even doesn't have to catch Annelores packet because he knows how to create 
those encrypted packets.

  robert.





More information about the TYPO3-dev mailing list