I am trying to test NTLM Authentication on our Exchange 2013 environment and I am unable to get the correct Base64 command for passing the username and password to the server. I have been doing the following

telnet IP Address 25

receive the expected response

helo

receive the expected response

AUTH NTLM

334 NTLM Supported

I then attempt to put in a Base64 string wich is converted from 'domain\username password'. I think this is where I am going wrong but I cannot find anything useful on how the string should be formatted or converted. Any help will be most appreciated

Hello

tip: try with username@upnsufix 

Hi Richard,

How are you converting it to base64

Try this along with Sneff's sugesstion:

PowerShell:

[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("Hello World"))

When you are entering the username incorrect are you getting this:

AUTH NTLM
334 NTLM supported
adfsdfxxfds535 5.7.3 Authentication unsuccessful

Hi Satyajit,

That is indeed the error message I receive upon entering the wrong information. What would be the corrct format to convert to Base64?

Richard

Hi Richard,

You should be posting the errors as well, it will help us to troubshoot faster.

Please post the method and process used by you. You might be using incorrect conversion method or a user that is non-existant.

This is what I have used, you can give it a try and let me know.

#Run this in Exchange Shell

[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes((Get-Mailbox "satyajit").UserPrincipalName))

How to convert string to Base64 and vice versa using Powershell :

http://vstepic.blogspot.in/2013/02/how-to-convert-string-to-base64-and.html

Thanks Satyajit,

the issue is less about converting the commands, it is more about building the correct commands and syntax, I am struggling massively to understand how each message type (1, 2 and 3) should be built.

Regards

Richard Wilson

Hi Richard,

I didn't quite get what are you trying to build. Are you developing something that would send emails.

For it to work, it need to work when you are manually testing it.

Please post the results, are you getting Authentication Successful?

Hello

for test not enough simply base 64 use.

https://msdn.microsoft.com/en-us/library/cc246870.aspx

Hi Satyajit We need to simply telnet to the server on port 25 using ntlm auth to show a software supplier that out exchange ntlm is correctly configured and it's their software at fault

Hi Richard,

Please post the full results or else it wont be possible to help you out.

There might be issues with the ActiveDirectory Lookups causing this failures as well. Lookout for events related to that.

Hi Satyajit,

At the moment I have no real failure messages to post, I am trying to find out the exact syntax for the commands that I need to run, is it 'AUTH NTLM domain\username password'? or do I need some different commands?

Regards

Richard Wilson

In the SMTPRecieve log of the exchange server I get a 'Inbound negotiate failed because of InvalidToken' and User Name : Null errors. I believe this will be because I am not sending the correct commands, as I don't really know what to actually send

Hi Richard,

Let me put you the commands in order. Username is desirable in username@addomain.com UP format and password goes as a separate command.

Wait for around 5-6 seconds afte every command for response from the server.


telnet localhost 25
ehlo example.com
AUTH NTLM
0eWFUUB1Y2MubGYWw=
FUUB1Y2MubGYWweW=e
mail from: test@domain.com
rcpt to: test2@domain.com
Data
Hello Everyone
.

Here is a sample test run.

How to Use Telnet to Test SMTP Communication:

https://technet.microsoft.com/en-us/library/aa995718%28v=exchg.65%29.aspx?f=255&MSPPError=-2147217396

If its not running you don't have services correctly setup or some issue on the server. Try rebooting the servers once.

535 5.7.3 Authentication unsuccessful

Thanks Sayajit,

I've now managed to get it to work

Regards

Richard Wilson

Hi Richard,

Before you test it across NTLM TLS enabled, try if it works without TLS. Disable "Offer basic authentication only after starting TLS" in GUI for the Default Frontend: MailFlow->Receive Connector-> Security.

Change it for all the servers.

Use powershell to confirm the change:

#In Exchange Shell

Get-ReceiveConnector "*\Default Frontend EXCH-*" | fl *auth*

#BasicAuthRequireTLS should not be there

AuthMechanism    : Tls, Integrated, BasicAuth, BasicAuthRequireTLS, ExchangeServer 
EnableAuthGSSAPI : False

#It should be like this

AuthMechanism    : Tls, Integrated, BasicAuth, ExchangeServer 
EnableAuthGSSAPI : False


#In any console or Shell

telnet exch-2 25
ehlo
auth login
334 VXNlcm5hbWU6
AVUNDLmxvY2sdsd
334 FzcmQ6sds
RGVsbHN2Y3Mx
235 2.7.0 Authentication successful

Using telnet to test authenticated relay in Exchange:

http://www.dasblinkenlichten.com/using-telnet-to-test-authenticated-relay-in-exchang

Hi Richard,

Thanks for the update. But sadly AUTH NTLM is not working for me any more. AUTH LOGIN (Basic without TLS) works.

Can you share the details how did you make it work.

As per my finding "SMTP Client Successfully Authenticating to an SMTP Server" is using NTLM is bit complex.

There is a "Java Implementation of the Type 3 Response Calculations" which doesn't seem like simple username and password.

Authentication -- NTLM provides a challenge-response authentication mechanism, in which clients are able to prove their identities without sending a password to the server.

Reference:

The NTLM Authentication Protocol and Security Support Provider:

http://curl.haxx.se/rfc/ntlm.html#ntlmSmtpAuthentication

Hi Satyajit,

To be honest I never managed to get the telnet AUTH NTLM commands working, but I did find that our smtp connector on exchange 2013 didn't have the 'Exchange Users' was not selected. I do want to make the commands work, but I cannot find the correct command structure anywhere!

I'd be interested to know what commands you have tried?

Regards

Richard Wilson

Hi Richard,

The commands were same as what I posted earlier.

My further findings point that AUTH LOGIN is testable using manual commandline. Unchecking BasicAuthRequireTLS which opens AUTH LOGIN option.

The NTLM is quite complex and I was able to reach only few steps using the link provided in the earlier post.