cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem using negotiated NTLM authentication with IIS 6 & post-data

From: Christopher R. Palmer <crpalmer_at_vivisimo.com>
Date: Tue, 15 Feb 2005 06:45:43 -0500

Daniel Stenberg wrote:
> On Mon, 14 Feb 2005, Christopher R. Palmer wrote:
>
>> Using tcpdump I see that the following data is exchanged:
>>
>> 1. curl sends unauthenticated header (but no post data)
>> 2. web server responds with 401
>> 3. curl sends ntlm type 1 packet
>
> You can see the same things by using curl's option --trace-ascii ;-)

Well, isn't that fancy.... Somewhat easier to read than the raw tcpdump
output....

> What curl version is this? I trust you at least tried this with the
> latest version to make sure we haven't fixed it since? The 'anyauth'
> magic has been written, rewritten and yet again rewritten (yes a third
> time). I believe the last version is the correct version as this was
> debated, discussed and tested a lot.

Sorry, yes, I guess I forgot to mention that I tested this using the
lastest CVS snapshot (which was 20050211 as of last night).

> If so, can you show us the --trace-ascii output of the failure? (edit
> out sensitive info before you post)

I've attached the trace-ascii file to this email. There is more than a 2
minute pause before the

== Info: Connection died, retrying a fresh connect
== Info: Closing connection #0
== Info: Issue another request to this URL:
'http://192.168.0.135/_vti_bin/search.asmx'
== Info: About to connect() to 192.168.0.135 port 80
== Info: Trying 192.168.0.135... == Info: connected
== Info: Connected to 192.168.0.135 (192.168.0.135) port 80
== Info: Server auth using NTLM with user 'vivisimo/crpalmer'
=> Send header, 344 bytes (0x158)

and then it succeeds (because it's now back to the --ntlm case).

>> Having tracked down the problem to this point I realize that I now
>> getting well out of league for looking at it on my own. Is this a
>> curl bug or an IIS bug?
>
> When this question arises it often is of no importance since people will
> want curl to work against IIS, even if it would do the wrong thing... In
> that light, it is always curl's problem to do right.

This windows machine is not available externally which means I cannot
easily give you access to it for testing. If you have an extra machine
that you can use for testing, Microsoft offers a free 6 month trial of
windows 2003 which can be downloaded from their site.

If that's not easy for you, I can do some remote debugging (feel free to
email me directly and let me know what info you need) and, of course, would
gladly test any patches that you come up with.

Cheers,
Chris.

== Info: About to connect() to 192.168.0.135 port 80
== Info: Trying 192.168.0.135... == Info: connected
== Info: Connected to 192.168.0.135 (192.168.0.135) port 80
=> Send header, 303 bytes (0x12f)
0000: POST /_vti_bin/search.asmx HTTP/1.1
0025: User-Agent: curl/7.13.1-20050211 (i686-pc-linux-gnu) libcurl/7.1
0065: 3.1-20050211 OpenSSL/0.9.7e zlib/1.1.4
008d: Host: 192.168.0.135
00a2: Pragma: no-cache
00b4: Accept: */*
00c1: Content-Type: text/xml
00d9: SOAPACTION: urn:Microsoft.Search/Query
0101: Content-Length: 2407
0117: Expect: 100-continue
012d:
<= Recv header, 27 bytes (0x1b)
0000: HTTP/1.1 401 Unauthorized
<= Recv header, 22 bytes (0x16)
0000: Content-Length: 1656
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 27 bytes (0x1b)
0000: Server: Microsoft-IIS/6.0
<= Recv header, 24 bytes (0x18)
0000: WWW-Authenticate: NTLM
<= Recv header, 23 bytes (0x17)
0000: X-Powered-By: ASP.NET
<= Recv header, 45 bytes (0x2d)
0000: MicrosoftSharePointTeamServices: 6.0.2.5530
<= Recv header, 37 bytes (0x25)
0000: Date: Tue, 15 Feb 2005 11:31:41 GMT
== Info: Ignoring the response-body
<= Recv data, 1216 bytes (0x4c0)
0000: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3
0040: .org/TR/html4/strict.dtd">
005c: <HTML><HEAD><TITLE>You are not authorized to view this page</TIT
009c: LE>
00a1: <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Wind
00e1: ows-1252">
00ed: <STYLE type="text/css">
0106: BODY { font: 8pt/12pt verdana }
0129: H1 { font: 13pt/15pt verdana }
014b: H2 { font: 8pt/12pt verdana }
016c: A:link { color: red }
0185: A:visited { color: maroon }
01a4: </STYLE>
01ae: </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
01ee:
01f0: <h1>You are not authorized to view this page</h1>
0223: You do not have permission to view this directory or page using
0263: the credentials that you supplied because your Web browser is se
02a3: nding a WWW-Authenticate header field that the Web server is not
02e3: configured to accept.
02fb: <hr>
0301: <p>Please try the following:</p>
0323: <ul>
0329: <li>Contact the Web site administrator if you believe you should
0369: be able to view this directory or page.</li>
0398: <li>Click the Refresh
03d8: button to try again with different credentials.</li>
040f: </ul>
0416: <h2>HTTP Error 401.2 - Unauthorized: Access is denied due to ser
0456: ver configuration.<br>Internet Information Services (IIS)</h2>
0496: <hr>
049c: <p>Technical Information (for suppor
<= Recv data, 440 bytes (0x1b8)
0000: t personnel)</p>
0012: <ul>
0018: <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">
0058: Microsoft Product Support Services</a> and perform a title searc
0098: h for the words <b>HTTP</b> and <b>401</b>.</li>
00ca: <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (in
010a: etmgr),
0113: and search for topics titled <b>About Security</b>, <b>Authenti
0153: cation</b>, and <b>About Custom Error Messages</b>.</li>
018d: </ul>
0194:
0196: </TD></TR></TABLE></BODY></HTML>
== Info: Connection #0 to host 192.168.0.135 left intact
== Info: Issue another request to this URL: 'http://192.168.0.135/_vti_bin/search.asmx'
== Info: Re-using existing connection! (#0) with host 192.168.0.135
== Info: Connected to 192.168.0.135 (192.168.0.135) port 80
== Info: Server auth using NTLM with user 'vivisimo/crpalmer'
=> Send header, 344 bytes (0x158)
0000: POST /_vti_bin/search.asmx HTTP/1.1
0025: Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
0067: User-Agent: curl/7.13.1-20050211 (i686-pc-linux-gnu) libcurl/7.1
00a7: 3.1-20050211 OpenSSL/0.9.7e zlib/1.1.4
00cf: Host: 192.168.0.135
00e4: Pragma: no-cache
00f6: Accept: */*
0103: Content-Type: text/xml
011b: SOAPACTION: urn:Microsoft.Search/Query
0143: Content-Length: 0
0156:
== Info: Connection died, retrying a fresh connect
== Info: Closing connection #0
== Info: Issue another request to this URL: 'http://192.168.0.135/_vti_bin/search.asmx'
== Info: About to connect() to 192.168.0.135 port 80
== Info: Trying 192.168.0.135... == Info: connected
== Info: Connected to 192.168.0.135 (192.168.0.135) port 80
== Info: Server auth using NTLM with user 'vivisimo/crpalmer'
=> Send header, 344 bytes (0x158)
0000: POST /_vti_bin/search.asmx HTTP/1.1
0025: Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
0067: User-Agent: curl/7.13.1-20050211 (i686-pc-linux-gnu) libcurl/7.1
00a7: 3.1-20050211 OpenSSL/0.9.7e zlib/1.1.4
00cf: Host: 192.168.0.135
00e4: Pragma: no-cache
00f6: Accept: */*
0103: Content-Type: text/xml
011b: SOAPACTION: urn:Microsoft.Search/Query
0143: Content-Length: 0
0156:
<= Recv header, 27 bytes (0x1b)
0000: HTTP/1.1 401 Unauthorized
<= Recv header, 22 bytes (0x16)
0000: Content-Length: 1539
<= Recv header, 25 bytes (0x19)
0000: Content-Type: text/html
<= Recv header, 27 bytes (0x1b)
0000: Server: Microsoft-IIS/6.0
<= Recv header, 101 bytes (0x65)
0000: WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADgAAAACAgACJmktQKItN
0040: 8IAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=
<= Recv header, 23 bytes (0x17)
0000: X-Powered-By: ASP.NET
<= Recv header, 45 bytes (0x2d)
0000: MicrosoftSharePointTeamServices: 6.0.2.5530
<= Recv header, 37 bytes (0x25)
0000: Date: Tue, 15 Feb 2005 11:34:03 GMT
== Info: Ignoring the response-body
<= Recv data, 1139 bytes (0x473)
0000: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3
0040: .org/TR/html4/strict.dtd">
005c: <HTML><HEAD><TITLE>You are not authorized to view this page</TIT
009c: LE>
00a1: <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Wind
00e1: ows-1252">
00ed: <STYLE type="text/css">
0106: BODY { font: 8pt/12pt verdana }
0129: H1 { font: 13pt/15pt verdana }
014b: H2 { font: 8pt/12pt verdana }
016c: A:link { color: red }
0185: A:visited { color: maroon }
01a4: </STYLE>
01ae: </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
01ee:
01f0: <h1>You are not authorized to view this page</h1>
0223: You do not have permission to view this directory or page using
0263: the credentials that you supplied.
0287: <hr>
028d: <p>Please try the following:</p>
02af: <ul>
02b5: <li>Contact the Web site administrator if you believe you should
02f5: be able to view this directory or page.</li>
0324: <li>Click the Refresh
0364: button to try again with different credentials.</li>
039b: </ul>
03a2: <h2>HTTP Error 401.1 - Unauthorized: Access is denied due to inv
03e2: alid credentials.<br>Internet Information Services (IIS)</h2>
0421: <hr>
0427: <p>Technical Information (for support personnel)</p>
045d: <ul>
0463: <li>Go to <a hre
<= Recv data, 400 bytes (0x190)
0000: f="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Produc
0040: t Support Services</a> and perform a title search for the words
0080: <b>HTTP</b> and <b>401</b>.</li>
00a2: <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (in
00e2: etmgr),
00eb: and search for topics titled <b>Authentication</b>, <b>Access C
012b: ontrol</b>, and <b>About Custom Error Messages</b>.</li>
0165: </ul>
016c:
016e: </TD></TR></TABLE></BODY></HTML>
== Info: Connection #0 to host 192.168.0.135 left intact
== Info: Issue another request to this URL: 'http://192.168.0.135/_vti_bin/search.asmx'
== Info: Re-using existing connection! (#0) with host 192.168.0.135
== Info: Connected to 192.168.0.135 (192.168.0.135) port 80
== Info: Server auth using NTLM with user 'vivisimo/crpalmer'
=> Send header, 497 bytes (0x1f1)
0000: POST /_vti_bin/search.asmx HTTP/1.1
0025: Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
0065: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
00a5: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
00e7: User-Agent: curl/7.13.1-20050211 (i686-pc-linux-gnu) libcurl/7.1
0127: 3.1-20050211 OpenSSL/0.9.7e zlib/1.1.4
014f: Host: 192.168.0.135
0164: Pragma: no-cache
0176: Accept: */*
0183: Content-Type: text/xml
019b: SOAPACTION: urn:Microsoft.Search/Query
01c3: Content-Length: 2407
01d9: Expect: 100-continue
01ef:
<= Recv header, 23 bytes (0x17)
0000: HTTP/1.1 100 Continue
=> Send data, 2407 bytes (0x967)
0000: <?xml version="1.0" encoding="utf-8"?><soapenv:Envelope xmlns:xs
0040: d="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.or
0080: g/2001/XMLSchema-instance" xmlns:soapenv="http://schemas.xmlsoap
00c0: .org/soap/envelope/"><soapenv:Body><Query xmlns="urn:Microsoft.S
0100: earch"><queryXml><![CDATA[<QueryPacket xmlns:xsd="http://www.w3.
0140: org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-
0180: instance" revision="1000" xmlns="urn:Microsoft.Search.Query"> <Q
01c0: uery domain="QDomain"> <SupportedFormats> <Format revision="1">u
0200: rn:Microsoft.Search.Response.Content:Content</Format> <Format re
0240: vision="1">urn:Microsoft.Search.Response.Document:Document</Form
0280: at> <Format revision="1">urn:Microsoft.Search.Response.Form:Form
02c0: </Format> </SupportedFormats> <Context> <QueryText language="en-
0300: US" type="MSSQLFT">SELECT "DAV:href", "DAV:displayname", "DAV:co
0340: ntentclass", "DAV:getlastmodified", "DAV:getcontentlength", "DAV
0380: :iscollection", "urn:schemas-microsoft-com:sharepoint:portal:pro
03c0: file:WorkPhone", "urn:schemas-microsoft-com:sharepoint:portal:pr
0400: ofile:WorkEmail", "urn:schemas-microsoft-com:sharepoint:portal:p
0440: rofile:Title", "urn:schemas-microsoft-com:sharepoint:portal:prof
0480: ile:Department", "urn:schemas.microsoft.com:fulltextqueryinfo:Pi
04c0: ctureURL", "urn:schemas-microsoft-com:office:office#Author", "ur
0500: n:schemas.microsoft.com:fulltextqueryinfo:description", "urn:sch
0540: emas.microsoft.com:fulltextqueryinfo:rank", "urn:schemas.microso
0580: ft.com:fulltextqueryinfo:sitename", "urn:schemas.microsoft.com:f
05c0: ulltextqueryinfo:displaytitle", "urn:schemas-microsoft-com:publi
0600: shing:Category", "urn:schemas-microsoft-com:office:office#ows_Cr
0640: awlType", "urn:schemas-microsoft-com:office:office#ows_ListTempl
0680: ate", "urn:schemas-microsoft-com:office:office#ows_SiteName", "u
06c0: rn:schemas-microsoft-com:office:office#ows_ImageWidth", "urn:sch
0700: emas-microsoft-com:office:office#ows_ImageHeight", "DAV:getconte
0740: nttype", "urn:schemas-microsoft-com:sharepoint:portal:area:Path"
0780: , "urn:schemas-microsoft-com:sharepoint:portal:area:CategoryUrlN
07c0: avigation", "urn:schemas-microsoft-com:publishing:CategoryTitle"
0800: , "urn:schemas.microsoft.com:fulltextqueryinfo:sdid", "urn:schem
0840: as-microsoft-com:sharepoint:portal:objectid" from ( TABLE Portal
0880: _Content..Scope() UNION ALL TABLE Non_Portal_Content..Scope() )
08c0: where ( contains(ALL, '"palmer"'))</QueryText></Context><Range><
0900: Count>10</Count></Range></Query></QueryPacket>]]></queryXml></Qu
0940: ery></soapenv:Body></soapenv:Envelope>
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
<= Recv header, 37 bytes (0x25)
0000: Date: Tue, 15 Feb 2005 11:34:16 GMT
<= Recv header, 27 bytes (0x1b)
0000: Server: Microsoft-IIS/6.0
<= Recv header, 23 bytes (0x17)
0000: X-Powered-By: ASP.NET
<= Recv header, 45 bytes (0x2d)
0000: MicrosoftSharePointTeamServices: 6.0.2.5530
<= Recv header, 28 bytes (0x1c)
0000: X-AspNet-Version: 1.1.4322
<= Recv header, 35 bytes (0x23)
0000: Cache-Control: private, max-age=0
<= Recv header, 39 bytes (0x27)
0000: Content-Type: text/xml; charset=utf-8
<= Recv header, 23 bytes (0x17)
0000: Content-Length: 40736
<= Recv data, 2620 bytes (0xa3c)

   ... trimmed the actual data ....
== Info: Connection #0 to host 192.168.0.135 left intact
== Info: Closing connection #0
Received on 2005-02-15