Hello,
Recently I noticed in our IIS server event logs, that during authentication multiple Mac OS devices use "WORKSTATION" as Workstation name in NTLM message 3.
Is it possible to change or use real Mac machine name during NTLM authentication? We observe that behavior in Safari and our custom Mac app, which uses
NSURLAuthenticationMethodNTLM. We used Wireshark to analyse packets and spotted that different Mac devices use the same fixed "WORKSTATION" name during NTLM authentication in NTLM message #3. We need to see real Mac device name in our logs for proper audit. Is there any configuration setting that controls this? On Mac (for our custom Swift app) and in Safari on Mac?
This is an example from IIS server Windows event log:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: CORP\user1
Account Name: user1
Account Domain: CORP
Logon ID: 0x93E5DE
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: WORKSTATION
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 0