我正在尝试使用 SIP 中的 NTLM 方法对从客户端到 Lync Server 2013 软件电话的应用程序进行身份验证。但我不确定如何执行其中的AUTHENTICATE_MESSAGE部分。
这是我为 SIP 消息的授权部分所做的事情:
if CSeq = '1' then
begin
// First message is to get the server authentication methods and realm/targetname
result := result + '';
end
else if CSeq = '2' then
begin
// On the second message, I pass the realm and targetname, corresponding to the negociate message
result := result + 'Authorization: NTLM qop="'+mQop+'", realm="'+mRealm+'", targetname="'+mTargetName+'", version='+mVersion+', gssapi-data="" ' + #13#10;
end
else if CSeq = '3' then
begin
if StrToInt(mVersion) > 3 then
begin
result := result + 'Authorization: NTLM opaque="'+mOpaque+'", qop="'+mQop+'", realm="'+mRealm+'", targetname="'+mTargetName+'", '+
'gssapi-data="'+**ProcessedChallenge**+'", version='+mVersion+', crand="'+CNONCE+'", '+
'cnum="'+NONCECOUNT+'", response="'+**response**+'"' + #13#10;
end
else
begin
result := result + 'Authorization: NTLM opaque="'+mOpaque+'", qop="'+mQop+'", realm="'+mRealm+'", targetname="'+mTargetName+'", '+
'gssapi-data="'+**ProcessedChallenge**+'", version='+mVersion + #13#10;
end;
end
问题是,我不确定如何在第三条消息中生成“ProcessedChallenge”和“response”值。其余的似乎还可以,但以防万一,以下是痕迹:
REGISTER sip:novotest.ca SIP/2.0
Via: SIP/2.0/TLS 192.168.20.180:5061
Max-Forwards: 70
Supported: replaces
Contact: <sip:192.168.20.180:5061;transport=tls>
To: <sip:mcote@novotest.ca>
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 1 REGISTER
Expires: 3600
User-Agent: KOMUTEL SIP
Content-Length: 0
SIP/2.0 401 Unauthorized
Date: Mon, 03 Feb 2014 20:03:12 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/qa121vm179.Novotest.ca", version=4
WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4, sts-uri="https://qa121vm179.novotest.ca:443/CertProv/CertProvisioningService.svc"
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
To: <sip:mcote@novotest.ca>;tag=FA72F83E7EA12109F5E9C2E8F087DA00
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 1 REGISTER
Via: SIP/2.0/TLS 192.168.20.180:5061;ms-received-port=5061;ms-received-cid=164200
Server: RTC/5.0
Content-Length: 0
REGISTER sip:novotest.ca SIP/2.0
Via: SIP/2.0/TLS 192.168.20.180:5061
Max-Forwards: 70
Supported: replaces
Contact: <sip:192.168.20.180:5061;transport=tls>
To: <sip:mcote@novotest.ca>
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 2 REGISTER
Expires: 3600
User-Agent: KOMUTEL SIP
Supported: gruu-10
Authorization: NTLM qop="auth", realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4, gssapi-data=""
Content-Length: 0
SIP/2.0 401 Unauthorized
Date: Mon, 03 Feb 2014 20:03:12 GMT
WWW-Authenticate: NTLM opaque="AF511061", gssapi-data="TlRMTVNTUAACAAAAAAAAADgAAADzgpjixfrJRZMjjbQAAAAAAAAAAKAAoAA4AAAABgOAJQAAAA8CABAATgBPAFYATwBUAEUAUwBUAAEAFABRAEEAMQAyADEAVgBNADEANwA5AAQAFgBOAG8AdgBvAHQAZQBzAHQALgBjAGEAAwAsAHEAYQAxADIAMQB2AG0AMQA3ADkALgBOAG8AdgBvAHQAZQBzAHQALgBjAGEABQAWAE4AbwB2AG8AdABlAHMAdAAuAGMAYQAHAAgAlvq/9xohzwEAAAAA", targetname="qa121vm179.Novotest.ca", realm="SIP Communications Service", version=4
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
To: <sip:mcote@novotest.ca>;tag=FA72F83E7EA12109F5E9C2E8F087DA00
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 2 REGISTER
Via: SIP/2.0/TLS 192.168.20.180:5061;ms-received-port=5061;ms-received-cid=164200
Server: RTC/5.0
Content-Length: 0
REGISTER sip:novotest.ca SIP/2.0
Via: SIP/2.0/TLS 192.168.20.180:5061
Max-Forwards: 70
Supported: replaces
Contact: <sip:192.168.20.180:5061;transport=tls>
To: <sip:mcote@novotest.ca>
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 3 REGISTER
Expires: 3600
User-Agent: KOMUTEL SIP
Supported: gruu-10
Authorization: NTLM opaque="AF511061", qop="auth", realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", gssapi-data="TlRMTVNTUAADAAAAGAAYAIoAAAAYABgAogAAABYAFgBAAAAAIgAiAFYAAAASABIAeAAAAAAAAAAAAAAABYIAAE4AbwB2AG8AdABlAHMAdAAuAGMAYQBtAGMAbwB0AGUAQABuAG8AdgBvAHQAZQBzAHQALgBjAGEAbABvAGMAYQBsAGgAbwBzAHQADgbcHeX1D8Dq+saY48dGAFVvXh3zWvVzSiDDtTv/vAPWH5sdqkMSRL4r6raCjCOQ", version=4, crand="0b5f113e", cnum="1", response="0100000024A95BA08AA3947964000000"
Content-Length: 0
SIP/2.0 401 Unauthorized
Date: Mon, 03 Feb 2014 20:03:12 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4
WWW-Authenticate: Kerberos realm="SIP Communications Service", targetname="sip/qa121vm179.Novotest.ca", version=4
WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="qa121vm179.Novotest.ca", version=4, sts-uri="https://qa121vm179.novotest.ca:443/CertProv/CertProvisioningService.svc"
From: <sip:mcote@novotest.ca>;tag=39539C4FEE9F427D8739BE8E5CD813FB;epid=000C299855EC
To: <sip:mcote@novotest.ca>;tag=FA72F83E7EA12109F5E9C2E8F087DA00
Call-ID: 82C61A739E594A09934681B2A13B1A8D
CSeq: 3 REGISTER
Via: SIP/2.0/TLS 192.168.20.180:5061;ms-received-port=5061;ms-received-cid=164200
ms-diagnostics: 1000;reason="Final handshake failed";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)";source="qa121vm179.Novotest.ca"
Server: RTC/5.0
Content-Length: 0
我尝试了 Indy 的 SSPI 和 OverbyteICS 的身份验证方法,但没有成功。在delphi中是否存在这样做的方法?如果是,该怎么做?