cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem with NTLM proxy authentication

From: Ulrich Telle <Ulrich.Telle_at_gmx.de>
Date: Sat, 30 Aug 2014 00:08:17 +0200

Steve,

thank you very much for your elaborate answer.

> > For my application I use libcurl 7.37.1 on Windows, compiled with
> > VC++ 2010, with WINDOWS_SSPI enabled.
>
> Just out of interest have you tried a non-SSPI build?

No. At least not yet. My reasoning for the decision to activate SSPI was that
SSPI supports to authenticate a user using the credentials of the logged in
user. The users of my application are usually not very computer affine
people. So I try to make using the Internet based functions as easy to use as
possible (i.e. detecting proxy settings and authenticating automatically, if
possible). However, since I compile libcurl already including the OpenSSL
library due to the requirement to support HTTPS, it should not be difficult to
switch to a non-SSPI build, at least for testing purposes.

At first, my application supported just basic proxy authentication. This worked
for the affected users for almost 2 years, but stopped working several weeks
ago, probably due to changes in the proxy configuration. Unfortunately I don't
have direct access to this proxy server, so that testing always requires to ask
one of the affected users to perform the tests.

> The NTLM messages would then be created and read by native libcurl code
> rather than the NTLM SSP. The native routines aren't as advanced as
> Microsofts but it would be interesting to see if you have similar
> results.

I will create a non-SSPI libcurl version of my application, so that I can test
what results I get then..

> > Below I copied in the relevant parts of the log on my own computer
> > and of the log on the computer of the other user.
>
> What return code do you get back from libcurl?

Good question. Currently my code only checks the HTTP response code
(which is 407). I have to add code to see the libcurl return code.

> > Any pointer what might be going wrong on the computer of the other
> > user would be very much appreciated.
>
> The reason I ask is, from the log at least, it looks like the decoding
> of the NTLM type-2 message and creation of the NTLM type-3 message
> fails. I would be very intrigued to know if that is the case or not.

I will check that.

> Basically the following happens:
>
> 1) Your Proxy Server is advertising that it support both NTLM and
> Basic authentication.

Over the last 2 years basic authentication worked for the affected users, but
stopped working recently. I switched to setting option
CURLOPT_PROXYAUTH to CURLAUTH_ANY for libcurl, because I
hoped/assumed that maybe NTLM might work for the affected users.

> 2) Libcurl chooses NTLM as it is more secure than Basic - unless you
> tell libcurl differently.

Since the default for CURLOPT_PROXYAUTH is CURLAUTH_BASIC,
libcurl didn't choose NTLM until I explicitly set CURLAUTH_ANY.

> 3) Libcurl will then send a Proxy-Authorization containing the chosen
> mechanism and NTLM type-1 message which has been created by the
> Windows SSPI functions and Base-64 encoded by libcurl
>
> 4) The Proxy Server receives that, decodes it, processes it and
> responds with another 407 containing a NTLM type-2 message if all is
> good.
>
> 5) Libcurl receives the 407, decodes the Base-64 encoded message and
> passes it to the SSPI functions to process and generate a NTLM type-3
> message.
>
> 6) Libcurl then encodes the type-3 and sends it to the server in
> another request via the Proxy-Authorization header.
>
> My guess is something is going wrong in either step 5 or 6 as the
> type-3 is not being sent.

I will try to track whether your guess is right by using a non-SSPI build of
libcurl.

> Additionally, I see you are not passing any user credentials and as
> such you are relying on libcurl / SSPI using the currently logged on
> user, as the log contains, Text: Proxy auth using NTLM with user ''.
>
> Is that the case?

Yes (as explained above).

> If so are you able to pass different user credentials to libcurl to
> use?

Yes. The users can specify user id and password in the application's
settings. And if they are specified, they are passed to libcurl. However, the
affected user claims that id didn't help to specify his credentials in the
settings: proxy authentication still failed.

> For example use the same user account that machine B is using on
> your machine and vice-versa. What are the differences in those users?

Well, the affected users work in a different company, so I can't check one of
their accounts on my machine. However, the proxy servers are maintained
by the same third party company. And that's why I'm so puzzled that NTLM
authentication works for me, but not for them.

> For example are they using the same domain?

No.

> Also note that if you try a non-SSPI build of libcurl you will need to
> specify the user credentials.

At least for testing this will not be a problem.

Again, thank you very much. This gives me ideas how to get more
information of what is going on.

I get back to this thread when I have performed tests. I'm going to visit one of
the affected users on next Wednesday, so that I can perform tests myself. I'll
prepare a better test version of my application and hopefully I will be a bit
wiser thereafter.

Regards,

Ulrich

-- 
E-Mail privat:  Ulrich.Telle_at_gmx.de
World Wide Web: http://www.telle-online.de


-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2014-08-30