cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Failure with --proxy-anyauth on NTLM

From: Matteo Fiorito <fiorito_at_geomind.it>
Date: Fri, 30 Mar 2012 17:02:41 +0200

Hi Steve,
sorry I am replying to a digest, I hope the email get threaded correctly.

Your explanation of the problem fits nicely with what I experienced.
I am going to ask to the sysadmin of the customer to remove/reorder the
proxy authentication protocols.

However it is unlikely to happen.

I quite do not get your second suggestion: I am currently using
PROXY-ANYAUTH because the software goes to different customers and I
cannot guess the right order of proxy for each customer.
- Is there a way to tell Libcurl which is the order of the
authentication to use?
- Or maybe to test all the authentication before failing? Testing all of:

    Proxy-Authenticate: Negotiate
    Proxy-Authenticate: Kerberos
    Proxy-Authenticate: NTLM

Thanks,
Matteo

Il 30/03/2012 12:00, curl-library-request_at_cool.haxx.se ha scritto:
> Message: 3
> Date: Fri, 30 Mar 2012 09:51:49 +0100
> From: Steve Holme<steve_holme_at_hotmail.com>
> To: "'libcurl development'"<curl-library_at_cool.haxx.se>
> Subject: RE: Failure with --proxy-anyauth on NTLM
> Message-ID:<BAY164-ds48D6903EA06BB22EC5B8382490_at_phx.gbl>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Matteo,
>
>> These are the results of the tests (I have no access to the
>> ISA-server-Proxy).
>>
>> 1. curl.exe --proxy-ntlm --proxy 192.168.0.110:3128 --proxy-user
>> user:pass www.google.com It works fine if --proxy-ntlm
>> <http://curl.haxx.se/docs/manpage.html#--proxy-ntlm> is
>> specified.
>>
>> 2. curl.exe --proxy-anyauth --proxy 192.168.0.110:3128 --proxy-user
>> user:pass www.google.com It fails.
>>
>> 3. curl.exe --proxy-anyauth --proxy-negotiate --proxy
>> 192.168.0.110:3128 --proxy-user user:pass www.google.com It
>> fails.
> I'm not too familiar with proxy servers from a curl prospective so someone
> else might be able to answer your query better than me, but I do know how
> the SMTP authentication works in curl so I have just delved into the
> http_proxy stuff out of curiosity and some of the following may be useful to
> you...
>
>> HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
>> authorization to fulfill the request. Access to the Web P roxy filter is
>> denied. )
>> Via: 1.1 NAS
>> Proxy-Authenticate: Negotiate
>> Proxy-Authenticate: Kerberos
>> Proxy-Authenticate: NTLM
> I believe this is where the problem lies...
>
> The server has told curl that it supports GSS Negotiate, Kerberos and NTLM
> in that order so curl with CURLAUTH_ANY set has tried to authenticate with
> GSS first as that was first in the list. This is then failing because, and
> I'm guessing here, your customer has a problem authenticating with GSS - as
> indicated by test #3 also failing.
>
> I would try and get the customer to fix up GSS - If they don't want to
> support GSS can they turn it off so that the server only advertises NTLM for
> example?
>
> If they can't turn it off in ISA Server or don't want to, does your
> application have a configuration file (or registry setting if it is Windows
> based) where you could specify the preferred authentication mechanism as
> NTLM?
>
> I hope this helps a little
>
> Kind Regards
>
> Steve
>
>
>
>
>
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-03-30