cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: unable to post data when using ntlm authentication

From: Kevin Pauli <kevin_at_thepaulis.com>
Date: Mon, 17 Mar 2014 13:41:11 -0500

Thanks everyone, that makes sense. Turns out that I am the victim of a
proprietary in-house solution that uses 302s to redirect the request to a
ClearTrust server that verifies the NTLM authentication and sets a session
cookie, then redirects the client back to the original location with
another 302, including the cookie. Because of this bizarre setup, CURL is
unaware that the necessary NTLM authentication has *already *taken place
with the intermediate request to ClearTrust, and therefore CURL tries to
issue an NTLM_NEGOTIATE (without the post body) against the target server.
 The target server actually knows nothing about NTLM, and thinks this is
the REAL request, with an empty body, and so it barfs.

So it's not really CURLs fault, I guess. It's this rube goldberg setup...

On Sat, Mar 15, 2014 at 5:47 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:

> On Fri, 14 Mar 2014, Dan Fandrich wrote:
>
> I can confirm this, and it does seem a bit odd, but it does appear to be
>> intentional; test 176 confirms this. If NTLM is truly required then the
>> server will ignore the initial POST and respond with an NTLM handshake, so
>> this 0-byte post will be ignored. But, if the server doesn't actually
>> require authentication, then the server will act on this 0 byte post and
>> could perform some undesired action. What probably should happen is
>> something similar to what happens if --anyauth is used in place of --ntlm;
>> curl sends a Expect: 100-continue instead of a 0 byte request (like test
>> 155).
>>
>
> Correct, it is made on purpose. If you explicitly ask for NTLM, you
> probably do that because you know the server requires it and then you most
> often prefer not having to send a (potentially huge) POST body twice. The
> first time would only be discarded by the server anyway.
>
> This is also due to NTLM authenticating a *connection* and not a request
> like other auth mechanisms.
>
> --
>
> / daniel.haxx.se
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-- 
Regards,
Kevin Pauli

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-17