Introduction:
SWS 6.1: Streaming web server sending plain-text authentication
Problem:
When logging into the streaming console via manual login the username and password is sent plain-text across the network. When doing a wireshark capture we see that the password is transmitting in plain-text.
Cause:
The 6.1 version wasn’t coded to use NTLM tokens to authenticate users by default. When using the manual login method the password is transmitted in plain-text.
Resolution:
There are multiple ways this can be resolved
- Enable integrated authentication on the portal
- Firefox – firefox has a plugin you can use to enable integrated authentication (https://addons.mozilla.org/en-us/firefox/addon/integrated-auth-for-firefox/ )
Setting
|
Value
|
network.negotiate-auth.delegation-uris
|
<fully qualified domain name>
|
network.automatic-ntlm-auth.trusted-uris
|
<fully qualified domain name>
|
network.automatic-ntlm-auth.allow-proxies
|
True
|
network.negotiate-auth.allow-proxies
|
True
|
Chrome
- Chrome.exe –auth-server-whitelist=”MYIISSERVER.DOMAIN.COM” –auth-negotiate-delegatewhitelist=”MYIISSERVER.DOMAIN.COM” –auth-schemes=”digest,ntlm,negotiate”
- Registry = AuthSchemes
Data type: String (REG_SZ)
Windows registry location: SoftwarePoliciesGoogleChromeAuthSchemes
Mac/Linux preference name: AuthSchemes
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features:Dynamic Policy Refresh: No, Per Profile:
Example Value “basic,digest,ntlm,negotiate”
- Registrykey = AuthServerWhitelist
Windows registry location: SoftwarePoliciesGoogleChromeAuthServerWhitelist
Mac/Linux preference name: AuthServerWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Example Value: “MYIISSERVER.DOMAIN.COM”
- Registrykey = AuthNegotiateDelegateWhitelist
Windows registry location: SoftwarePoliciesGoogleChromeAuthNegotiateDelegateWhitelist
Mac/Linux preference name: AuthNegotiateDelegateWhitelist
Supported on: Google Chrome (Linux, Mac, Windows) since version 9
Supported features: Dynamic Policy Refresh: No, Per Profile: No
Example Value: ”MYIISSERVER.DOMAIN.COM”
- Enable SSL on the portal (in the admin guide pages 104 – 106)
- https://symwisedownload.symantec.com/resources/sites/SYMWISE/content/live/DOCUMENTATION/4000/DOC4905/en_US/Symantec_Workspace_Streaming_6_1_SP7_MP2_Admin_Guide.pdf?__gda__=1441437388_dcc4c7f9896186e0d2d22938e56270fb
- Upgrade to 7.5 or higher
- Alternatively to the manual login scenario depicted above, you could just enable integrated logon and then a properly configured client browser can automatically perform an NTLM handshake with the web server; the logon information is then a series of hashed challenges and responses and no password is sent in clear text. See wireshark below.