SMTP AUTH NTLM Security Driver

The Uniface AUTH NTLM security driver provides SMTP authentication using the Microsoft NT LAN Manager protocol.

activate"UPOPMAIL".SetSecurity(DriverProperties, DriverParameters)

activate"UPOPMAIL".GetSecurity(DriverNumber, "SMTP=", RuntimeInfo)

Parameters

  • DriverProperties—Uniface list with the following syntax:

    "SMTP=UAuthNTLMSMTP {;USE=MAND | OPT"}

  • DriverParameters—Uniface list containing driver-specific parameters that are used during authentication. See Driver Parameters.
  • DriverNumber—number of the driver in the security context; usually 1.
  • "SMTP="—request the DriverProperties string as used in the SetSecurity operation.
  • RuntimeInfo—Uniface list containing information provided by Uniface and the security driver. See Driver Runtime Information.

For more information, see SetSecurity and GetSecurity .

Driver Parameters

NTLM Parameters
Name Allowed Values Description
user UserName User name to use for the login. Mandatory.
password Password Password to use for the login. Mandatory.

charset

Unicode The AUTH NTLM driver attempts to negotiate the use of Unicode in authentication messages sent to and from the SMTP server. If the server supports this, Unicode (UTF16) is used; otherwise, the SMTP server’s character set (OEM) is used. Default.

 

 OEM The Auth NTLM driver attempts to negotiate the use of the SMTP server’s OEM character set instead of Unicode.
domain UserDomain

Domain name, or computer name in the case of a local user, where the username and password must be verified.

workstation Workstation

Network name of the workstation where the logon attempt originates.

policy  

Version of NTLM to use when communicating with the SMTP server.

LM NTLM VERSION 1

LM NTLM V1

LM NTLM

The driver sends LM and NTLM (or LMv1 and NTLMv1) messages to the SMTP server. There is no negotiation about this. All SMTP servers that support NTLM support at least this, so this is the default.

LM NTLM VERSION 2

LM NTLM V2

The driver sends LMv2 and NTLMv2 messages to the SMTP server. There is no negotiation about this; you must know beforehand that the SMTP server supports this.
NTLM The driver sends NTLM (NTLMv1) messages without the LM part. This is used to avoid exposing the authentication data in the NTLM message to the same vulnerabilities LM suffers from.

This makes sense only for v1, not for v2, since the LMv2 does not have additional vulnerabilities as compared to NTLMv2.

SESSION SECURITY The driver attempts to negotiate NTLM2 Session Security. If the SMTP server supports this, NTLM2 Session Security is used to authenticate.

If the server does not support this, the driver falls back to the policy specified after SESSION SECURITY, or to LM NTLM version 1 if none is specified.

If a policy follows SESSION SECURITY, a comma must separate SESSION SECURITY and the second policy.

Note:  This is the only policy that allows a fallback policy to be specified.

Driver Runtime Information

The AUTH NLTM security driver can return runtime information about the current or last connection via GetSecurity.

After a successful login using logonSMTP, you can inquire about the result of the negotiations, for example whether or not Session Security was used, or whether Unicode or OEM was used.

Runtime Information Returned by the NTLM Security Driver
Property Value Description
CHARSET UNICODE or OEM Character set used
POLICY

SESSION SECURITY

If SESSION SECURITY was requested and the SMTP server supports it.

LM NTLM VERSION 2

LM NTLM

NTLM

If SESSION SECURITY was not requested or the SMTP server does not support it. The value depends on the policy set by SetSecurity. It will mirror that value since there is no negotiation about this with the SMTP server.
TARGETINFO

TRUE

FALSE

The value indicates whether the SMTP server has provided target information about itself. The value can only be TRUE if SESSION SECURITY is requested and used. If so, one or more of the following properties may be present:
  • TARGETSERVER—host name of the server
  • TARGETDOMAIN—domain the server is in
  • DNSSERVER—fully qualified DNS server host name
  • DNSDOMAIN—DNS domain name
  • PARENTDNSDOMAIN—parent DNS domain name, if the server is in a subdomain.

If TARGETINFO is FALSE, none of these properties will be present.

Assignment File

To use this driver, the assignment file must contain the following entry:

[USER_3GL]
Location\uauthntlm(UAuthNTLMSMTP)

If the SMTP server can support NTLM but returns an unexpected error after the first message, it may be that the server has a different way of handling the initial message from the client. In this case, try setting NTLM_INITIAL_RESPONSE in the [LOGICALS] section. For example:

[LOGICALS]
NTLM_INITIAL_RESPONSE = Deferred

For more information, see NTLM_INITIAL_RESPONSE.

Description

Microsoft NT LAN Manager protocol provides better, but not impervious, authentication than the basic authentication provided by the AUH OIN mechanism. It also supports session signing and encryption.

The compiled library uauthntlm is provided in the \common\bin (Windows) or /common/lib (Unix) directory of your Uniface installation.

The source files for the security driver are available in the Security Driver Sample on Rocket Community .

Related Topics