cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Problem with NTLM proxy authentication

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Fri, 29 Aug 2014 20:56:14 +0100

On Fri, 29 Aug 2014, Ulrich Telle wrote:

> For my application I use libcurl 7.37.1 on Windows, compiled with VC++ 2010, with
> WINDOWS_SSPI enabled.

Just out of interest have you tried a non-SSPI build? The NTLM messages would then be created and read by native libcurl code rather than the NTLM SSP. The native routines aren't as advanced as Microsofts but it would be interesting to see if you have similar results.

> Below I copied in the relevant parts of the log on my own computer and of the log
> on the computer of the other user.

What return code do you get back from libcurl?

> Any pointer what might be going wrong on the computer of the other user would be
> very much appreciated.

The reason I ask is, from the log at least, it looks like the decoding of the NTLM type-2 message and creation of the NTLM type-3 message fails. I would be very intrigued to know if that is the case or not.

Basically the following happens:

1) Your Proxy Server is advertising that it support both NTLM and Basic authentication.
2) Libcurl chooses NTLM as it is more secure than Basic - unless you tell libcurl differently.
3) Libcurl will then send a Proxy-Authorization containing the chosen mechanism and NTLM type-1 message which has been created by the Windows SSPI functions and Base-64 encoded by libcurl
4) The Proxy Server receives that, decodes it, processes it and responds with another 407 containing a NTLM type-2 message if all is good.
5) Libcurl receives the 407, decodes the Base-64 encoded message and passes it to the SSPI functions to process and generate a NTLM type-3 message.
6) Libcurl then encodes the type-3 and sends it to the server in another request via the Proxy-Authorization header.

My guess is something is going wrong in either step 5 or 6 as the type-3 is not being sent.

Additionally, I see you are not passing any user credentials and as such you are relying on libcurl / SSPI using the currently logged on user, as the log contains, Text: Proxy auth using NTLM with user ''.

Is that the case?
If so are you able to pass different user credentials to libcurl to use? For example use the same user account that machine B is using on your machine and vice-versa.
What are the differences in those users? For example are they using the same domain?

Also note that if you try a non-SSPI build of libcurl you will need to specify the user credentials.

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-29