On 24 Feb 2006, at 0:45, Daniel Stenberg wrote:
> [...]
>> - First, firefox sets to 0 the domain offset and host offsets,
>> while curl sets both of them to 32.
>
> This you can easily modify and test if it makes any difference.
> These offsets are offset in bytes to where the host and domain
> names are stored, but we have no length on either one so they both
> point to index 32 but there's no actual name there.

I forgot to say I tried to set them to zero but it didn't work.

>> - Second, firefox passes NTLM flags 0x07 0x82 0x08 0x00, which
>> should be NTLMFLAG_NEGOTIATE_UNICODE, NTLMFLAG_REQUEST_TARGET,
>> NTLMFLAG_NEGOTIATE_NTLM_KEY, NTLMFLAG_NEGOTIATE_ALWAYS_SIGN,
>> NTLMFLAG_NEGOTIATE_NTLM2_KEY.
>
> Wow. Only the NTLMFLAG_NEGOTIATE_NTLM_KEY is in common with what
> curl sends...

I did notice it, too :) Also I tried to set curl flags to these
values but it didn't work either. I think because then the server
tries to negotiate an ntlm2 key and curl, as far as I know, doesn't
support it.

>> I'd say that NTLMFLAG_NEGOTIATE_UNICODE is ininfluent here
>> (domain, username and password are plain ascii), the other flags,
>> well, I don't know enough of the protocol to tell if they are the
>> cause of the problem or not.
>
> Me neither unfortunately, and I have no access to any server (nor
> time) to try out experiements with options like that. Besides, I
> _think_ the server is expected to listen to the clients request and
> when we don't request unicode we should be able to remain using
> ascii...

Anyway we curl requests NEGOTIATE_OEM which should be iso8859-1 on
all the computers involved, so I don't think that it would mess
things up even if the communication is going to be encoded in "non-
ascii".

> But then again, it responds with an "internal error" which indeed
> is weird.

In fact this is the most surprising thing and that's why I hoped
somebody else already saw this misterious "The Local Security
Authority cannot be contacted" error.

> Perhaps also the NTLM2 option Firefox uses makes a difference, as
> it is a separate way to encrypt stuff (afaik).

I think I'll look at firefox NTLM code then and try and figure what
to port to NTLM2 authentication to curl (BTW, are the licenses
compatible or have I to rewrite it?). I understand you don't know
well the guts of the protocol either, but your guesses are certainly
a lot more educated than mine so can you please give me your opinion?
Does this have any chance to succeed or am I looking in the wrong
direction?

> And this is the document I used when I wrote the NTLM code:
>
> http://curl.haxx.se/rfc/ntlm.html

Yes, I read it, it's a good work.

Thanks for your reply,

Michele
Received on 2006-02-24