WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
这两个头表示服务端只接受集成windows验证方式
HTTP/1.1 401 Unauthorized
Content-Length: 1327
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Sun, 11 Nov 2007 12:28:29 GMT
3.1.3. 客户端选择NTLM验证,要求输入用户名密码,请求质询码
客户端通过Authorization: Negotiate NTLMSSPXXXX 头告诉服务器,客户端要求NTLM验证,请求服务端发送质询码。
GET /wstest/default.aspx HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)
Host: 192.168.1.13:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAAD3==
3.1.4. 服务器返回质询码
服务端收到客户端的请求,发送一个八字节的质询码。
HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADgAAAAFgoqii7rzphzu6mEAAAAAAAAAAFwAXABKAAAABQLODgAAAA9CAEkAWgBUAEEATABLAFIAMgACABIAQgBJAFoAVABBAEwASwBSADIAAQASAEIASQBaAFQAQQBMAEsAUgAyAAQAEgBiAGkAegB0AGEAbABrAFIAMgADABIAYgBpAHoAdABhAGwAawBSADIAAAAAAA==
X-Powered-By: ASP.NET
Date: Sun, 11 Nov 2007 12:29:44 GMT
3.1.5. 客户端发送使用前面输入账户的密码加密后的质询码
客户端IE收到质询码后,使用根据一定的规则从登录用户密码派生出的8字节的key对质询码进行DES加密,加密后的质询码和用户名明码连同页面请求一起发送到服务端。
GET /wstest/default.aspx HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; MAXTHON 2.0)
Host: 192.168.1.13:81
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAI4AAAAYABgApgAAABgAGABIAAAAGgAaAGAAAAAUABQAegAAAAAAAAC+AAAABYKIogUCzg4AAAAPMQA5ADIALgAxADYAOAAuADEALgAxADMAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBXAEkATgAyADAAMAAzAC0AUABDAL0amMkkEMWLAAAAAAAAAAAAAAAAAAAAAFND1Boc0kthz0TBnfxn3z4W9/NILU1CtW==
3.1.6. 服务端验证通过,返回资源
服务端收到用户名和加密后的质询码后,根据用户名查找服务器上此用户的密码,按照客户端同样的方法加密质询码,然后跟收到客户端返回的质询码,如果一致,则说明用户名和密码都一致,验证通过,返回客户端IE请求资源。如果不对,再次返回无授权http回应。
HTTP/1.1 200 OK
Date: Sun, 11 Nov 2007 12:29:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
