Workspace Streaming

 View Only

SWS Streaming Console Web Server Uses Plain-text Form Based Authentication 

Sep 03, 2015 04:44 PM

Introduction:

SWS 6.1: Streaming web server sending plain-text authentication

 

Problem:

When logging into the streaming console via manual login the username and password is sent plain-text across the network. When doing a wireshark capture we see that the password is transmitting in plain-text.

whoops_0.jpg

Cause:

The 6.1 version wasn’t coded to use NTLM tokens to authenticate users by default. When using the manual login method the password is transmitted in plain-text.

Resolution:

There are multiple ways this can be resolved

  1. Enable integrated authentication on the portal
    1. Firefox – firefox has a plugin you can use to enable integrated authentication (https://addons.mozilla.org/en-us/firefox/addon/integrated-auth-for-firefox/ )

 

Setting

Value

network.negotiate-auth.delegation-uris

<fully qualified domain name>

network.automatic-ntlm-auth.trusted-uris

<fully qualified domain name>

network.automatic-ntlm-auth.allow-proxies

True

 

network.negotiate-auth.allow-proxies

True

 

Chrome

  1. Chrome.exe –auth-server-whitelist=”MYIISSERVER.DOMAIN.COM” –auth-negotiate-delegatewhitelist=”MYIISSERVER.DOMAIN.COM” –auth-schemes=”digest,ntlm,negotiate”
  2. Registry = AuthSchemes

Data type: String (REG_SZ)

Windows registry location: SoftwarePoliciesGoogleChromeAuthSchemes

Mac/Linux preference name: AuthSchemes

Supported on: Google Chrome (Linux, Mac, Windows) since version 9

Supported features:Dynamic Policy Refresh: No, Per Profile:

                                                Example Value “basic,digest,ntlm,negotiate”

  1. Registrykey = AuthServerWhitelist

Windows registry location: SoftwarePoliciesGoogleChromeAuthServerWhitelist

Mac/Linux preference name: AuthServerWhitelist

Supported on: Google Chrome (Linux, Mac, Windows) since version 9

Supported features: Dynamic Policy Refresh: No, Per Profile: No

                                                Example Value: “MYIISSERVER.DOMAIN.COM”

  1. Registrykey = AuthNegotiateDelegateWhitelist

Windows registry location: SoftwarePoliciesGoogleChromeAuthNegotiateDelegateWhitelist

Mac/Linux preference name: AuthNegotiateDelegateWhitelist

Supported on: Google Chrome (Linux, Mac, Windows) since version 9

Supported features: Dynamic Policy Refresh: No, Per Profile: No

Example Value: ”MYIISSERVER.DOMAIN.COM”

  1. Enable SSL on the portal (in the admin guide pages 104 – 106)
    1. https://symwisedownload.symantec.com/resources/sites/SYMWISE/content/live/DOCUMENTATION/4000/DOC4905/en_US/Symantec_Workspace_Streaming_6_1_SP7_MP2_Admin_Guide.pdf?__gda__=1441437388_dcc4c7f9896186e0d2d22938e56270fb
  2. Upgrade to 7.5 or higher
  • Alternatively to the manual login scenario depicted above, you could just enable integrated logon and then a properly configured client browser can automatically perform an NTLM handshake with the web server; the logon information is then a series of hashed challenges and responses and no password is sent in clear text. See wireshark below.

 

working_whoops.jpg

 

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.