Nice technet link about SSL working
http://technet.microsoft.com/en-us/library/cc783349(WS.10).aspx
Nice technet link about SSL working
http://technet.microsoft.com/en-us/library/cc783349(WS.10).aspx
Web Proxy web access using NTLM authentication
Continuation of my previous post of network samples and discussion of benefits of using NTLM vs Kerberos(one more concluding post after this one much shorter J no network trace analysis in it)
80 10:44:15.4937520 17.6177520 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=......S., SrcPort =53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345585, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:23, IPv4:22}
81 10:44:15.4948310 17.6188310 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098244, Ack=2778345586, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 {TCP:23, IPv4:22}
82 10:44:15.4948620 17.6188620 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345586, Ack=2526098245, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}
Client sends get request after TCP handshake
83 10:44:15.4962980 17.6202980 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET http://bing.com/ {HTTP:24, TCP:23, IPv4:22}
ISA acknowledges it
84 10:44:15.7216400 17.8456400 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526098245, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
In Frame 166 ISA sends ISA responds with 407, Proxy authentication required
166 10:44:26.6943050 28.8183050 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ Using Multiple Authetication Methods, see frame details {HTTP:24, TCP:23, IPv4:22}
Details( ISA sends authentication methods it supports in proxyauthenticate header as shown below).
*************************************************************************************
Frame: Number = 166, Captured Frame Length = 1514, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]
+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14356, Total IP Length = 1500
+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526098245 - 2526099705, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127
- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ Using Multiple Authetication Methods, see frame details
ProtocolVersion: HTTP/1.1
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 ISA01
+ ProxyAuthenticate: Negotiate
+ ProxyAuthenticate: Kerberos
+ ProxyAuthenticate: NTLM
Connection: Keep-Alive
ProxyConnection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
+ ContentType: text/html
ContentLength: 4113
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
*******************************************************************************
Then acknowledgement for it is sent by client as below.
167 10:44:26.6943910 28.8183910 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
167 10:44:26.6943910 28.8183910 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526099705 - 2526101165, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
168 10:44:26.6944040 28.8184040 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526101165, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}
169 10:44:26.6950010 28.8190010 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=1460, Seq=2526101165 - 2526102625, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
170 10:44:26.6951610 28.8191610 iexplore.exe ISA01 192.168.0.104 TCP TCP:[Continuation to #166]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=137, Seq=2526102625 - 2526102762, Ack=2778345994, Win=65127 (scale factor 0x0) = 65127 {TCP:23, IPv4:22}
171 10:44:26.6951710 28.8191710 iexplore.exe 192.168.0.104 ISA01 TCP TCP:Flags=...A...., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2778345994, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400 {TCP:23, IPv4:22}
In frame 172 below we see client replying to ISA’s authentication required message
172 10:44:26.6975050 28.8215050 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET http://bing.com/ , Using GSS-API Authorization {HTTP:24, TCP:23, IPv4:22}
Details of this Frame : Client informs ISA that it will use NTLMSSP for authentication as shown below Signature: NTLMSSP
************************************************************************************
Frame: Number = 172, Captured Frame Length = 551, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]
+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15976, Total IP Length = 537
+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=497, Seq=2778345994 - 2778346491, Ack=2526102762, Win=32850 (scale factor 0x2) = 131400
- Http: Request, GET http://bing.com/ , Using GSS-API Authorization
Command: GET
+ URI: http://bing.com/
ProtocolVersion: HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
ProxyConnection: Keep-Alive
Host: bing.com
- ProxyAuthorization: Negotiate
- Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- NLMP: NTLM NEGOTIATE MESSAGE
Signature: NTLMSSP
MessageType: Negotiate Message (0x00000001)
+ NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign)
+ DomainNameFields: Length: 0, Offset: 0
+ WorkstationFields: Length: 0, Offset: 0
+ Version: Windows 6.1 Build 7600 NLMPv15
HeaderEnd: CRLF
*************************************************************************************
Then acknowledgement from ISA for above Frame
173 10:44:26.8779750 29.0019750 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526102762, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630 {TCP:23, IPv4:22}
Then ISA responds in frame 234 with NTLM Challenge
234 10:44:37.5729020 39.6969020 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ , Using GSS-API Authentication {HTTP:24, TCP:23, IPv4:22}
Details of Frame 234: here ISA server sends NTLM server challenge as shown below
ServerChallenge: A5206ACE7D62388F
*************************************************************************************
Frame: Number = 234, Captured Frame Length = 609, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-9B-0B-30],SourceAddress:[02-02-C0-A8-00-03]
+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.104, Next Protocol = TCP, Packet ID = 14445, Total IP Length = 595
+ Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=555, Seq=2526102762 - 2526103317, Ack=2778346491, Win=64630 (scale factor 0x0) = 64630
- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: http://bing.com/ , Using GSS-API Authentication
ProtocolVersion: HTTP/1.1
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required ( Access is denied. )
Via: 1.1 ISA01
- ProxyAuthenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAG
- Authenticate: Negotiate TlRMTVNTUAACAAAAEAAQADgAAAAVgonipSBqzn1iOI8AAAAAAAAAAJIAkgBIAAAABQLODgAAAA9NAFkATABBAEIASQBTAEEAAgAQAE0AWQBMAEEAQgBJAFMAQQABAAoASQBTAEEAMAAxAAQAHABtAHkAbABhAGIASQBTAEEALgBsAG8AYwBhAGwAAwAoAEkAUwBBADAAMQAuAG0AeQBsAGEAYgBJAFMAQQAuAGwAbw
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- Token: NTLM CHALLENGE MESSAGE
- NLMP: NTLM CHALLENGE MESSAGE
Signature: NTLMSSP
MessageType: Challenge Message (0x00000002)
+ TargetNameFields: Length: 16, Offset: 56
+ NegotiateFlags: 0xE2898215 (NTLM v2128-bit encryption, Always Sign)
+ ServerChallenge: A5206ACE7D62388F
Reserved: Binary Large Object (8 Bytes)
+ TargetInfoFields: Length: 146, Offset: 72
+ Version: Windows 5.2 Build 3790 NLMPv15
TargetNameString: MYLABISA
+ AvPairs: 6 pairs
Connection: Keep-Alive
ProxyConnection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
+ ContentType: text/html
ContentLength: 0
HeaderEnd: CRLF
*********************************************************************************
Then Client sends the NTLM response in frame 235 as shown below
235 10:44:37.5739850 39.6979850 iexplore.exe 192.168.0.104 ISA01 HTTP HTTP:Request, GET http://bing.com/ , Using GSS-API Authorization {HTTP:24, TCP:23, IPv4:22}
Details of Frame 235
As we can see below in details section Client sends NTLMV2 challenge response NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368
Which contains client’s response i.e. Response: FBAC64C09A9A4407529C9C76A8AE4368
And client’s challenge i.e. ClientChallenge: B1F8E672B107C76F
And following
DomainNameString: MYLABISA
UserNameString: Administrator
WorkstationString: 2K8APPSVR
*********************************************************************************
Frame: Number = 235, Captured Frame Length = 1151, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[02-BF-C0-A8-00-03],SourceAddress:[00-15-5D-9B-0B-30]
+ Ipv4: Src = 192.168.0.104, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15977, Total IP Length = 1137
+ Tcp: Flags=...AP..., SrcPort=53399, DstPort=HTTP Alternate(8080), PayloadLen=1097, Seq=2778346491 - 2778347588, Ack=2526103317, Win=32711 (scale factor 0x2) = 130844
- Http: Request, GET http://bing.com/ , Using GSS-API Authorization
Command: GET
+ URI: http://bing.com/
ProtocolVersion: HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
ProxyConnection: Keep-Alive
- ProxyAuthorization: Negotiate
- Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJQAAAAuAS4BrAAAABAAEABYAAAAGgAaAGgAAAASABIAggAAABAAEADaAQAAFYKI4gYBsB0AAAAPrn/HFsKAwKDGvdmxyjAUVU0AWQBMAEEAQgBJAFMAQQBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByADIASwA4AEEAUABQAFMAVgBSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPusZ
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- Token: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR
- NLMP: NTLM AUTHENTICATE MESSAGE, Domain: MYLABISA, User: Administrator, Workstation: 2K8APPSVR
Signature: NTLMSSP
MessageType: Authenticate Message (0x00000003)
+ LmChallengeResponseFields: Length: 24, Offset: 148
+ NtChallengeResponseFields: Length: 302, Offset: 172
+ DomainNameFields: Length: 16, Offset: 88
+ UserNameFields: Length: 26, Offset: 104
+ WorkstationFields: Length: 18, Offset: 130
+ EncryptedRandomSessionKeyFields: Length: 16, Offset: 474
+ NegotiateFlags: 0xE2888215 (NTLM v2128-bit encryption, Always Sign)
+ Version: Windows 6.1 Build 7600 NLMPv15
+ MessageIntegrityCheckNotPresent: AE7FC716C280C0A0C6BDD9B1CA301455
DomainNameString: MYLABISA
UserNameString: Administrator
WorkstationString: 2K8APPSVR
- LmChallengeResponseStruct: 000000000000000000000000000000000000000000000000
+ Response: 00000000000000000000000000000000
+ ChallengeFromClient: 0000000000000000
- NTLMV2ChallengeResponse: FBAC64C09A9A4407529C9C76A8AE4368
+ Response: FBAC64C09A9A4407529C9C76A8AE4368
ResponseVersion: 1 (0x1)
HiResponseVersion: 1 (0x1)
+ Z1:
Time: 12/27/2010, 18:44:33.868391 UTC
+ ClientChallenge: B1F8E672B107C76F
+ Z2:
+ AvPairs: 9 pairs
Padding: Binary Large Object (4 Bytes)
+ SessionKeyString: D14BA57C0370405FF6710C424D53B457
Host: bing.com
HeaderEnd: CRLF
*************************************************************************************
ISA after receiving clients NTLMv2 challenge response as shown above forwards it to Domain controller to authenticate uses this challenge response and user’s domain info to authenticate the user. Refer http://msdn.microsoft.com/en-us/library/aa378749(v=vs.85).aspx
And this is the point which we will discuss more in my next post about web access performance difference using Kerberos vs NTLM
Following is acknowledgement sent by ISA for above challenge response sent by client.
236 10:44:37.7116510 39.8356510 iexplore.exe ISA01 192.168.0.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=53399, PayloadLen=0, Seq=2526103317, Ack=2778347588, Win=65535 (scale factor 0x0) = 65535 {TCP:23, IPv4:22}
Then after the user is authenticated and permitted access we see HTTP/1.1, Status: Ok
Coming from the ISA server.
609 10:45:01.7702050 63.8942050 iexplore.exe ISA01 192.168.0.104 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: http://www.bing.com/
{HTTP:24, TCP:23, IPv4:22}
***************************************************************************************************************************************
After that data is sent by the web server via ISA server to client machine as explained and shown in in my previous post about web access by web proxy client using Kerberos authentication.
For people who love to see network trace and would like to see network traffic when a web proxy client accesses internet through ISA server and uses Kerberos authentication
here is the sample. I will add more comments in it whenever time permits me to give more readibility. This is like a reference what would you expect in network traffic for comparisons or for understanding of behaviour
***********************************************************************************************************************************************************************************************
Web access by web proxy client : Kerberos Authentication (Notice how many packets(only two) exchanged between ISA and client for authentication to compare it with NTLM authentication (to get internet access through ISA) which i will discuss in my next post) : which makes it a good case to think about how much traffic is reduced by using kerberos authentication
TCP hand shake
2 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP:Flags=......S., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992582363, Ack=0, Win=65535 ( ) = 65535 {TCP:2, IPv4:1}
3 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283664136, Ack=992582364, Win=16384 ( Scale factor not supported ) = 16384 {TCP:2, IPv4:1}
4 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992582364, Ack=283664137, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
The Get request after tcp handshake
5 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 HTTP HTTP:Request, GET http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
Acknolegement of Frame 5
6 03:46:14.6801910 21829.3111910 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283664137, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
Proxy authentication required message from the ISA server with status code 407
7 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://www.bing.com/ Using Multiple Authetication Methods, see frame details {HTTP:3, TCP:2, IPv4:1}
Details of frame 7 as below for deeper insight ( we will see ISA server sends authentication methods it supports in the "ProxyAuthenticate" header to client)
Note : this happens if we have a internet access rule on ISA/TMG that allows access only to authenticated users.
*************************************************************************************
Frame: Number = 7, Captured Frame Length = 1514, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-58-87-02],SourceAddress:[00-15-5D-58-87-03]
+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.10, Next Protocol = TCP, Packet ID = 1124, Total IP Length = 1500
+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283664137 - 283665597, Ack=992583031, Win=64868 (scale factor 0x0) = 64868
- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: http://www.bing.com/ Using Multiple Authetication Methods, see frame details
ProtocolVersion: HTTP/1.1
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 ISA-NEW
- ProxyAuthenticate: Negotiate
- Authenticate: Negotiate
WhiteSpace:
AuthenticateData: Negotiate
- ProxyAuthenticate: Kerberos
- Authenticate: Kerberos
WhiteSpace:
AuthenticateData: Kerberos
- ProxyAuthenticate: NTLM
- Authenticate: NTLM
WhiteSpace:
AuthenticateData: NTLM
Connection: Keep-Alive
ProxyConnection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
- ContentType: text/html
MediaType: text/html
ContentLength: 4111
HeaderEnd: CRLF
- payload: HttpContentType = text/html
HtmlElement: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
HtmlElement:
<HTML>
HtmlElement: <HEAD>
HtmlElement: <TITLE>
HtmlElement: Error Message</TITLE>
HtmlElement:
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
HtmlElement:
<STYLE id=L_default_1>
HtmlElement: A {
FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: #005a80; FONT-FAMILY: tahoma
}
A:hover {
FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: #0d3372; FONT-FAMILY: tahoma
}
TD {
FONT-SIZE: 8pt; FONT-FAMILY: tahoma
}
TD.titleBorder {
BORDER-RIG
*************************************************************************************
Continuation to Proxy authentication required frame # 7 and respective Acknowledgements.
8 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283665597 - 283667057, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
9 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992583031, Ack=283667057, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
10 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283667057 - 283668517, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
11 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=137, Seq=283668517 - 283668654, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
12 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992583031, Ack=283668654, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
Authorization Response by the client.
13 03:46:26.7426910 21841.3736910 iexplore.exe 192.168.0.10 192.168.0.1 HTTP HTTP:Request, GET http://www.bing.com/ , Using GSS-API Authorization {HTTP:3, TCP:2, IPv4:1}
Details( client sends kerb Ap Request KRB_AP_REQ (14) with kerberos token i.e. - Ticket: Realm: CORPA.LOCAL, Sname: HTTP/isa-new.corpa.local
as shown below
*************************************************************************************
Frame: Number = 13, Captured Frame Length = 2446, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-58-87-03],SourceAddress:[00-15-5D-58-87-02]
+ Ipv4: Src = 192.168.0.10, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15714, Total IP Length = 2432
+ Tcp: [Bad CheckSum]Flags=...AP..., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=2392, Seq=992583031 - 992585423, Ack=283668654, Win=65535 (scale factor 0x0) = 65535
- Http: Request, GET http://www.bing.com/ , Using GSS-API Authorization
Command: GET
+ URI: http://www.bing.com/
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Accept-Encoding: gzip, deflate
ProxyConnection: Keep-Alive
+ Cookie: MUID=B4E2B7A6025A4BCBB5AE84B1F4BC646D; SRCHD=MS=1367625&D=1055001&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20100102; _UR=OMW=1&OMF=1; SRCHUID=V=2&GUID=FF1CEFDA48FD47B495A1C2B71E5C5B3B
- ProxyAuthorization: Negotiate
- Authorization: Negotiate YIIE8QYGKwYBBQUCoIIE5TCCBOGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBLcEggSzYIIErwYJKoZIhvcSAQICAQBuggSeMIIEmqADAgEFoQMCAQ6iBwMFACAAAACjggO/YYIDuzCCA7egAwIBBaENGwtDT1JQQS5MT0NBTKImMCSgAwIBAqEdMBsbBEhUVFAbE2lzYS1uZXcuY29yc
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- InitialContextToken:
+ ApplicationHeader:
- ThisMech: SpnegoToken (1.3.6.1.5.5.2)
+ MechType: SpnegoToken (1.3.6.1.5.5.2)
- InnerContextToken: 0x1
- SpnegoToken: 0x1
+ ChoiceTag:
- NegTokenInit:
+ SequenceHeader:
+ Tag0:
- MechTypes: Prefer MsKerberosToken (1.2.840.48018.1.2.2)
+ SequenceHeader:
+ MechType: MsKerberosToken (1.2.840.48018.1.2.2)
+ MechType: KerberosToken (1.2.840.113554.1.2.2)
+ MechType: NLMP (1.3.6.1.4.1.311.2.2.10)
+ Tag2:
+ OctetStringHeader:
- MechToken: 0x1
- MsKerberosToken: 0x1
- KerberosInitToken:
+ ApplicationHeader:
- ThisMech: KerberosToken (1.2.840.113554.1.2.2)
+ MechType: KerberosToken (1.2.840.113554.1.2.2)
- InnerContextToken: 0x1
- KerberosToken: 0x1
TokId: Krb5ApReq (0x100)
- ApReq: KRB_AP_REQ (14)
+ ApplicationTag:
+ SequenceHeader:
+ Tag0:
+ PvNo: 5
+ Tag1:
+ MsgType: KRB_AP_REQ (14)
+ Tag2: 0x1
+ ApOptions:
+ Tag3:
- Ticket: Realm: CORPA.LOCAL, Sname: HTTP/isa-new.corpa.local
+ ApplicationTag:
+ SequenceHeader:
+ Tag0:
+ TktVno: 5
+ Tag1:
+ Realm: CORPA.LOCAL
+ Tag2: 0x1
- Sname: HTTP/isa-new.corpa.local
+ SequenceHeader:
+ Tag0:
+ NameType: NT-SRV-INST (2)
+ Tag1:
+ SequenceOfHeader:
+ NameString: HTTP
+ NameString: isa-new.corpa.local
+ Tag3: 0x1
- EncPart:
+ SequenceHeader:
+ Tag0:
+ EType: rc4-hmac (23)
+ Tag1:
+ KvNo: 5
+ Tag2:
+ Cipher: ðLMÖ.5ð
ÄR‑%mgÖÛQTá
¯Õ~¸ÿs/S`¥Þh©1¾Ý¯ìøÖ±ÔÈgÏÒì¼dÄ
¼)
+ Tag4:
+ Authenticator:
Host: www.bing.com
HeaderEnd: CRLF
*************************************************************************************
Acknowledgement and then Status 200 OK in frame 29 which means that user has been authenticated and we got 200OK from server.
14 03:46:26.7426910 21841.3736910 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283668654, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
29 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
***********************************************************************************
Data and corresponding acknowledgements
30 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283670114 - 283671574, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
31 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283671574 - 283673034, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
and after that data is downloaded/received by client as highlighted above and as shown below with payload of data sent by isa server after receiving from web server
32 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283673034, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
33 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283673034 - 283674494, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
34 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=813, Seq=283674494 - 283675307, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
35 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283675307, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
36 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
37 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283676767 - 283678227, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
38 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283678227 - 283679687, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
39 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283679687 - 283681147, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
40 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283681147 - 283682607, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
41 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=660, Seq=283682607 - 283683267, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
42 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283683267, Win=64875 (scale factor 0x0) = 64875 {TCP:2, IPv4:1}
43 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
44 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #43]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=688, Seq=283684727 - 283685415, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
45 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283685415, Win=62727 (scale factor 0x0) = 62727 {TCP:2, IPv4:1}
46 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP:[Dup Ack #45] [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283685415, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
47 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
48 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283686875 - 283688335, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
49 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283688335 - 283689795, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
50 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283689795 - 283691255, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
51 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283691255, Win=64075 (scale factor 0x0) = 64075 {TCP:2, IPv4:1}
52 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=204, Seq=283691255 - 283691459, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
53 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283691459, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
54 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
55 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #54]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283692919 - 283694379, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
56 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #54]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=408, Seq=283694379 - 283694787, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
57 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283694787, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
*************************************************************************************
Completion of Data flow and then this data is used by iexplore.exe n to render on the IE window( data reception and rendering goes simultaneously)
Hi friends while working on an UAG issue , I was hitting dead end with SSLctlidentifier =myCTL as it was giving an error everytime i ran it. I m not adding full command here but will do. Then i searched the web a bit and found following link that explains what we can use with SSLctlidentifier =[CTLlist] and in this same link the command that i was trying to use i.e. netsh http add sslcert (with all the parameters) is also used and thats the way to use that
http://viisual.net/configuration/IIS7-CTLs.htm
have a look.
Amazing explanation!!