SSPI and system account

curl is at curl.haxx.se

Brought to you by: bagder, captain-caveman, dfandrich, linusnielsen, and 2 others

This project can now be found here.

#535 SSPI and system account

Status: closed-later

Owner: Daniel Stenberg

Labels: http (206)

Priority: 3

Updated: 2014-12-14

Created: 2005-09-05

Creator: Randy

Private: No

Hi,

I've written a script to download some files via http
using curl and using sspi for authentication. This
works great as long as it is run under the security
context of a user.

However, when run under the system account context
(i.e. a group policy startup script), it no longer
seems authenticate properly.

Here is an excerpt from the IIS log.

curl --ntlm -u : <url> (run under user context)
_______________________________________
03:58:24 172.16.1.170 DOMAIN\RandyT W3SVC1 GET
/MS+Office+2000+wSR1/LICENSE.TXT 200 0 HTTP/1.1 6nzq541

curl --ntlm -u : <url> (run under system context)
_______________________________________
04:00:15 172.16.3.19 - W3SVC1 GET
/MS+Office+2000+wSR1/LICENSE.TXT 401 5 HTTP/1.1 6nzq541

Run under system account context with scripted Internet
Explorer or winhttp 5.1
____________________________________________________
04:00:15 172.16.3.19 DOMAIN\RTTESTSYSTEM$ W3SVC1 GET
/MS+Office+2000+wSR1/LICENSE.TXT 200 0 HTTP/1.1 6nzq541

Discussion

Daniel Stenberg - 2005-09-05

Logged In: YES
user_id=1110

So what is it supposed to do under "system context" ? I
thought the point would be that it gets the user + password
from the current user, and if there's no user what should it
do/use ?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Randy - 2005-09-07

Logged In: YES
user_id=1339800

Sorry for the delay getting back to you.

I believe it should use the active directory domain computer
account.

The DOMAIN\RTTESTSYSTEM$ user that is used by
Internet Explorer in the same context is the computer
account in active directory for the system I was testing on.

-Randy

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2005-09-14

Logged In: YES
user_id=1110

Okey, but I don't know one bit about how those things are
done as I'm not developing on windows myself. A call on the
libcurl mailing list gave nothing.

Don't expect this to be changed anytime soon unless you can
help out!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2005-09-14

priority: 5 --> 3

status: open --> open-later
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Randy - 2005-09-16

Logged In: YES
user_id=1339800

Thanks for getting back to me. We've changed our project to
use the user context so no big deal.

Wish I could help, but I'm not quite there yet. Good luck!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2005-09-16

Logged In: YES
user_id=1110

Good to hear you managed to work around it. I've added this
bug as "known bug #26" (see docs/KNOWN_BUGS) and thus I
close this report.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2005-09-16

status: open-later --> closed-later
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2005-10-21

Logged In: NO

cant make it work in linux

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2005-10-21

Logged In: YES
user_id=1110

Can't make what work and how is that related to this bug report?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: