cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Different behaviour of file upload with NTLM/Negotiate proxy authentication

From: Malcolm MacArthur <macartm_at_gmail.com>
Date: Sun, 4 Nov 2012 16:47:12 +0000

On Sun, Nov 4, 2012 at 3:17 PM, Markus Moeller <huaraz_at_moeller.plus.com>wrote:

> I am testing file uploads with Negotiate and NTLM proxy authentication.
> And it looks like the behaviour is different for NTLM compared to
> Negotiate. When I use NTLM the Authorisation header is added but not the
> POST data, so I get a wrong result.
>
> Can anybody confirm this ? Any idea where the bug is with NTLM ?
>
>
It is possible you can see odd results with NTLM and proxies. In my case, I
found what I thought was a 'feature' of how SCHANNEL.DLL negotiates the
NTLM authentication.

But it turned out to be nothing of the sort. You do not look like you're
using Windows, but this could be relevant.

Some proxies, it seems, to reduce the amount of NTLM authentication they
need to do, don't always operate in NTLM mode. Websense is one example.

You can configure it to 'cache' NTLM authentication requests; once a single
request has been received that successfully authenticates, it then doesn't
need NTLM authentication for ANY requests from that host for the next ten
minutes. This, it turns out, was the source of the inconsistencies I saw,
and is a very difficult situation for cURL to work around...

So, I'd have unauthenticated requests sometimes work fine (and then fail,
say, 15 minutes later, after the cache expired). I couldn't ALWAYS tell it
to use NTLM authentication, because that can't be done when the proxy is
transparent (WCCP redirected).

Sure, I could do it by explicitly supplying the proxy address and using "-U
:", but one of my goals was to test transparent WCCP redirection was
working (writing a script to monitor if the web proxy worked - both
transparently AND as an explicit proxy).

Your situation looks remarkably similar...

What I did, in order to get Websense to get my IP authenticated and into
its cache, was complicated. I basically have it try the page request first
with 'curl -v', check the headers for 307 redirect, and if I got a 307
redirect, the trick was to grab the Redirect: URL from the headers, and
THEN use (in my case I didn't specify a username - I wanted to do it all
transparently):

curl -v --ntlm -u : [redirect URL]

to explicitly, directly, use NTLM authentication on the Redirect: URL I got
back from the proxy.

THEN if that's successful, you get back ANOTHER redirection that redirects
you to the ORIGINAL web page you requested. And your IP is in the proxy's
authentication cache for however long the timeout period is.

You can then fire off a request to the original page, with NO
authentication. That is, until the cache times out again.

Perhaps one day I shall get the time to set up a dev environment to add the
support to negotiate this automatically into cURL. All the code is, after
all, already in there; it would just be a case of stringing it together to
fire off NTLM authentication if, and only if, it needs to. I am not a very
good programmer however ...

Malcolm.

Thank you
> Markus
>
>
> NTLM proxy authentication (missing Content-Type: multipart/form-data;
> boundary=---------------------**-------2f4caf3f7cd8):
>
> /opt/curl-7.28/bin/curl -v -A "| MSIE |" -U "DOMAIN\user" --proxy-ntlm
>> --form file_upload=@/tmp/test.txt --form do=test --form subdo=file_upload
>> --form http_submit="Start HTTP upload" http://www.csm-testcenter.org/**
>> test <http://www.csm-testcenter.org/test>
>>
> Enter proxy password for user 'DOMAIN\user':
> * About to connect() to proxy proxy.domain.com port 8080 (#0)
> * Trying 192.168.1.200...
> * connected
> * Connected to proxy.domain.com (192.168.1.200) port 8080 (#0)
> * Proxy auth using NTLM with user 'DOMAIN\user'
>
>> POST http://www.csm-testcenter.org/**test<http://www.csm-testcenter.org/test>HTTP/1.1
>> Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAA**AAAAAAAAAAAAA=
>> User-Agent: | MSIE |
>> Host: www.csm-testcenter.org
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>> Content-Length: 0
>>
>> < HTTP/1.1 200 OK
> < Via: 1.1 192.168.1.200 (PROXY)
> < Date: Sun, 04 Nov 2012 13:22:53 GMT
> < Server: Apache
> < X-Cache: MISS from 192.168.1.200
> < Content-Type: text/html
> < Proxy-Connection: Keep-Alive
> < Transfer-Encoding: chunked
> <
>
> Negotiate proxy authentication (The -U dd:dd is to get around an issue I
> explained in a previous post that negotiate uses a username from the
> Kerberos cache and curl can't deal with it):
>
>
> /opt/curl-7.28/bin/curl -v -A "| MSIE |" -U dd:dd --proxy-negotiate
>> --form file_upload=@/tmp/test.txt --form do=test --form subdo=file_upload
>> --form http_submit="Start HTTP upload" http://www.csm-testcenter.org/**
>> test <http://www.csm-testcenter.org/test>
>>
> * About to connect() to proxy proxy.domain.com port 8080 (#0)
> * Trying 192.168.1.200...
> * connected
> * Connected to proxy.domain.com (192.168.1.200) port 8080 (#0)
>
>> POST http://www.csm-testcenter.org/**test<http://www.csm-testcenter.org/test>HTTP/1.1
>> User-Agent: | MSIE |
>> Host: www.csm-testcenter.org
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>> Content-Length: 515
>> Expect: 100-continue
>> Content-Type: multipart/form-data; boundary=---------------------**
>> -------2f4caf3f7cd8
>>
>> < HTTP/1.1 100 Continue
> < HTTP/1.1 407 authenticationrequired
> < Content-Type: text/html
> < Cache-Control: no-cache
> < Content-Length: 3407
> < Proxy-Connection: Keep-Alive
> < Proxy-Authenticate: Negotiate
> < Proxy-Authenticate: NTLM
> * HTTP error before end of send, stop sending
> <
> * Closing connection #0
> * Issue another request to this URL: 'http://www.csm-testcenter.**org/test<http://www.csm-testcenter.org/test>
> '
> * About to connect() to proxy proxy.domain.com port 8080 (#0)
> * Trying 192.168.1.200...
> * connected
> * Connected to proxy.domain.com (192.168.1.200) port 8080 (#0)
> * Proxy auth using GSS-Negotiate with user 'dd'
>
>> POST http://www.csm-testcenter.org/**test<http://www.csm-testcenter.org/test>HTTP/1.1
>> Proxy-Authorization: Negotiate YIICFAYJKoZIhvcSAQICAQBuggIDMI**IB/......=
>> User-Agent: | MSIE |
>> Host: www.csm-testcenter.org
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>> Content-Length: 515
>> Expect: 100-continue
>> Content-Type: multipart/form-data; boundary=---------------------**
>> -------8995e2e39e1f
>>
>> < HTTP/1.1 100 Continue
> < HTTP/1.1 200 OK
> < Via: 1.1 192.168.1.200 (PROXY)
> < Date: Sun, 04 Nov 2012 13:21:28 GMT
> < Server: Apache
> < Content-Type: text/html
> < Proxy-Connection: Keep-Alive
> < Transfer-Encoding: chunked
> <
>
>
>
> ------------------------------**------------------------------**-------
> List admin: http://cool.haxx.se/list/**listinfo/curl-users<http://cool.haxx.se/list/listinfo/curl-users>
> FAQ: http://curl.haxx.se/docs/faq.**html<http://curl.haxx.se/docs/faq.html>
> Etiquette: http://curl.haxx.se/mail/**etiquette.html<http://curl.haxx.se/mail/etiquette.html>
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-11-04