For people who love to see network trace and would like to see network traffic when a web proxy client accesses internet through ISA server and uses Kerberos authentication
here is the sample. I will add more comments in it whenever time permits me to give more readibility. This is like a reference what would you expect in network traffic for comparisons or for understanding of behaviour
***********************************************************************************************************************************************************************************************
Web access by web proxy client : Kerberos Authentication (Notice how many packets(only two) exchanged between ISA and client for authentication to compare it with NTLM authentication (to get internet access through ISA) which i will discuss in my next post) : which makes it a good case to think about how much traffic is reduced by using kerberos authentication
TCP hand shake
2 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP:Flags=......S., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992582363, Ack=0, Win=65535 ( ) = 65535 {TCP:2, IPv4:1}
3 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283664136, Ack=992582364, Win=16384 ( Scale factor not supported ) = 16384 {TCP:2, IPv4:1}
4 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992582364, Ack=283664137, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
The Get request after tcp handshake
5 03:46:14.5395660 21829.1705660 iexplore.exe 192.168.0.10 192.168.0.1 HTTP HTTP:Request, GET http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
Acknolegement of Frame 5
6 03:46:14.6801910 21829.3111910 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283664137, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
Proxy authentication required message from the ISA server with status code 407
7 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:Response, HTTP/1.1, Status: Proxy authentication required, URL: http://www.bing.com/ Using Multiple Authetication Methods, see frame details {HTTP:3, TCP:2, IPv4:1}
Details of frame 7 as below for deeper insight ( we will see ISA server sends authentication methods it supports in the "ProxyAuthenticate" header to client)
Note : this happens if we have a internet access rule on ISA/TMG that allows access only to authenticated users.
*************************************************************************************
Frame: Number = 7, Captured Frame Length = 1514, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-58-87-02],SourceAddress:[00-15-5D-58-87-03]
+ Ipv4: Src = 192.168.0.1, Dest = 192.168.0.10, Next Protocol = TCP, Packet ID = 1124, Total IP Length = 1500
+ Tcp: Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283664137 - 283665597, Ack=992583031, Win=64868 (scale factor 0x0) = 64868
- Http: Response, HTTP/1.1, Status: Proxy authentication required, URL: http://www.bing.com/ Using Multiple Authetication Methods, see frame details
ProtocolVersion: HTTP/1.1
StatusCode: 407, Proxy authentication required
Reason: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 ISA-NEW
- ProxyAuthenticate: Negotiate
- Authenticate: Negotiate
WhiteSpace:
AuthenticateData: Negotiate
- ProxyAuthenticate: Kerberos
- Authenticate: Kerberos
WhiteSpace:
AuthenticateData: Kerberos
- ProxyAuthenticate: NTLM
- Authenticate: NTLM
WhiteSpace:
AuthenticateData: NTLM
Connection: Keep-Alive
ProxyConnection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
- ContentType: text/html
MediaType: text/html
ContentLength: 4111
HeaderEnd: CRLF
- payload: HttpContentType = text/html
HtmlElement: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
HtmlElement:
<HTML>
HtmlElement: <HEAD>
HtmlElement: <TITLE>
HtmlElement: Error Message</TITLE>
HtmlElement:
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
HtmlElement:
<STYLE id=L_default_1>
HtmlElement: A {
FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: #005a80; FONT-FAMILY: tahoma
}
A:hover {
FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: #0d3372; FONT-FAMILY: tahoma
}
TD {
FONT-SIZE: 8pt; FONT-FAMILY: tahoma
}
TD.titleBorder {
BORDER-RIG
*************************************************************************************
Continuation to Proxy authentication required frame # 7 and respective Acknowledgements.
8 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283665597 - 283667057, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
9 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992583031, Ack=283667057, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
10 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283667057 - 283668517, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
11 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #7]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=137, Seq=283668517 - 283668654, Ack=992583031, Win=64868 (scale factor 0x0) = 64868 {TCP:2, IPv4:1}
12 03:46:26.7270660 21841.3580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992583031, Ack=283668654, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
Authorization Response by the client.
13 03:46:26.7426910 21841.3736910 iexplore.exe 192.168.0.10 192.168.0.1 HTTP HTTP:Request, GET http://www.bing.com/ , Using GSS-API Authorization {HTTP:3, TCP:2, IPv4:1}
Details( client sends kerb Ap Request KRB_AP_REQ (14) with kerberos token i.e. - Ticket: Realm: CORPA.LOCAL, Sname: HTTP/isa-new.corpa.local
as shown below
*************************************************************************************
Frame: Number = 13, Captured Frame Length = 2446, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-58-87-03],SourceAddress:[00-15-5D-58-87-02]
+ Ipv4: Src = 192.168.0.10, Dest = 192.168.0.1, Next Protocol = TCP, Packet ID = 15714, Total IP Length = 2432
+ Tcp: [Bad CheckSum]Flags=...AP..., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=2392, Seq=992583031 - 992585423, Ack=283668654, Win=65535 (scale factor 0x0) = 65535
- Http: Request, GET http://www.bing.com/ , Using GSS-API Authorization
Command: GET
+ URI: http://www.bing.com/
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Accept-Encoding: gzip, deflate
ProxyConnection: Keep-Alive
+ Cookie: MUID=B4E2B7A6025A4BCBB5AE84B1F4BC646D; SRCHD=MS=1367625&D=1055001&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20100102; _UR=OMW=1&OMF=1; SRCHUID=V=2&GUID=FF1CEFDA48FD47B495A1C2B71E5C5B3B
- ProxyAuthorization: Negotiate
- Authorization: Negotiate YIIE8QYGKwYBBQUCoIIE5TCCBOGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBLcEggSzYIIErwYJKoZIhvcSAQICAQBuggSeMIIEmqADAgEFoQMCAQ6iBwMFACAAAACjggO/YYIDuzCCA7egAwIBBaENGwtDT1JQQS5MT0NBTKImMCSgAwIBAqEdMBsbBEhUVFAbE2lzYS1uZXcuY29yc
WhiteSpace:
- NegotiateAuthorization:
Scheme: Negotiate
- GssAPI: 0x1
- InitialContextToken:
+ ApplicationHeader:
- ThisMech: SpnegoToken (1.3.6.1.5.5.2)
+ MechType: SpnegoToken (1.3.6.1.5.5.2)
- InnerContextToken: 0x1
- SpnegoToken: 0x1
+ ChoiceTag:
- NegTokenInit:
+ SequenceHeader:
+ Tag0:
- MechTypes: Prefer MsKerberosToken (1.2.840.48018.1.2.2)
+ SequenceHeader:
+ MechType: MsKerberosToken (1.2.840.48018.1.2.2)
+ MechType: KerberosToken (1.2.840.113554.1.2.2)
+ MechType: NLMP (1.3.6.1.4.1.311.2.2.10)
+ Tag2:
+ OctetStringHeader:
- MechToken: 0x1
- MsKerberosToken: 0x1
- KerberosInitToken:
+ ApplicationHeader:
- ThisMech: KerberosToken (1.2.840.113554.1.2.2)
+ MechType: KerberosToken (1.2.840.113554.1.2.2)
- InnerContextToken: 0x1
- KerberosToken: 0x1
TokId: Krb5ApReq (0x100)
- ApReq: KRB_AP_REQ (14)
+ ApplicationTag:
+ SequenceHeader:
+ Tag0:
+ PvNo: 5
+ Tag1:
+ MsgType: KRB_AP_REQ (14)
+ Tag2: 0x1
+ ApOptions:
+ Tag3:
- Ticket: Realm: CORPA.LOCAL, Sname: HTTP/isa-new.corpa.local
+ ApplicationTag:
+ SequenceHeader:
+ Tag0:
+ TktVno: 5
+ Tag1:
+ Realm: CORPA.LOCAL
+ Tag2: 0x1
- Sname: HTTP/isa-new.corpa.local
+ SequenceHeader:
+ Tag0:
+ NameType: NT-SRV-INST (2)
+ Tag1:
+ SequenceOfHeader:
+ NameString: HTTP
+ NameString: isa-new.corpa.local
+ Tag3: 0x1
- EncPart:
+ SequenceHeader:
+ Tag0:
+ EType: rc4-hmac (23)
+ Tag1:
+ KvNo: 5
+ Tag2:
+ Cipher: ð LMÖ.5ð
ÄR?%mg ÖÛQT á
¯Õ~ ¸ÿs/ S`¥Þh©1¾ ݯìøÖ±ÔÈg ÏÒ ì¼dÄ
¼)
+ Tag4:
+ Authenticator:
Host: www.bing.com
HeaderEnd: CRLF
*************************************************************************************
Acknowledgement and then Status 200 OK in frame 29 which means that user has been authenticated and we got 200OK from server.
14 03:46:26.7426910 21841.3736910 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=0, Seq=283668654, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
29 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:Response, HTTP/1.1, Status: Ok, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
***********************************************************************************
Data and corresponding acknowledgements
30 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283670114 - 283671574, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
31 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283671574 - 283673034, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
and after that data is downloaded/received by client as highlighted above and as shown below with payload of data sent by isa server after receiving from web server
32 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283673034, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
33 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283673034 - 283674494, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
34 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #29]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=813, Seq=283674494 - 283675307, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
35 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283675307, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
36 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
37 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283676767 - 283678227, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
38 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283678227 - 283679687, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
39 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283679687 - 283681147, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
40 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283681147 - 283682607, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
41 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #36]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=660, Seq=283682607 - 283683267, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
42 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283683267, Win=64875 (scale factor 0x0) = 64875 {TCP:2, IPv4:1}
43 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
44 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #43]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=688, Seq=283684727 - 283685415, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
45 03:46:53.2114410 21867.8424410 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283685415, Win=62727 (scale factor 0x0) = 62727 {TCP:2, IPv4:1}
46 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP:[Dup Ack #45] [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283685415, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
47 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
48 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283686875 - 283688335, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
49 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283688335 - 283689795, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
50 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283689795 - 283691255, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
51 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283691255, Win=64075 (scale factor 0x0) = 64075 {TCP:2, IPv4:1}
52 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #47]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=204, Seq=283691255 - 283691459, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
53 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283691459, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
54 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 HTTP HTTP:HTTP Payload, URL: http://www.bing.com/ {HTTP:3, TCP:2, IPv4:1}
55 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #54]Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=1460, Seq=283692919 - 283694379, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
56 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.1 192.168.0.10 TCP TCP:[Continuation to #54]Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=1243, PayloadLen=408, Seq=283694379 - 283694787, Ack=992585423, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
57 03:46:53.2270660 21867.8580660 iexplore.exe 192.168.0.10 192.168.0.1 TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=1243, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=992585423, Ack=283694787, Win=65535 (scale factor 0x0) = 65535 {TCP:2, IPv4:1}
*************************************************************************************
Completion of Data flow and then this data is used by iexplore.exe n to render on the IE window( data reception and rendering goes simultaneously)
Amanda Peet Xenia Seeberg The Avatars of Second Life Daniella Alonso Gina Gershon
No comments:
Post a Comment