curl-library
Re: Problem with NTLM proxy authentication
Date: Mon, 01 Sep 2014 12:45:40 +0200
Steve,
> Just out of interest have you tried a non-SSPI build?
In the meantime I generated a non-SSPI version of my application and one
user tested it, again without success.
> What return code do you get back from libcurl?
The return code is always CURLE_OK, that is, no error. However, the HTTP
response code keeps to be 407.
> The reason I ask is, from the log at least, it looks like the decoding
> of the NTLM type-2 message and creation of the NTLM type-3 message
> fails. I would be very intrigued to know if that is the case or not.
I see an additional informal message from libcurl, namely
Text: NTLM handshake rejected
Text: Authentication problem. Ignoring this.
(Complete log below).
> Basically the following happens:
>
> 1) Your Proxy Server is advertising that it support both NTLM and Basic authentication.
> 2) Libcurl chooses NTLM as it is more secure than Basic - unless you tell libcurl differently.
> 3) Libcurl will then send a Proxy-Authorization containing the chosen mechanism and NTLM type-1 message which has been created by the Windows SSPI functions and Base-64 encoded by libcurl
> 4) The Proxy Server receives that, decodes it, processes it and responds with another 407 containing a NTLM type-2 message if all is good.
> 5) Libcurl receives the 407, decodes the Base-64 encoded message and passes it to the SSPI functions to process and generate a NTLM type-3 message.
> 6) Libcurl then encodes the type-3 and sends it to the server in another request via the Proxy-Authorization header.
>
> My guess is something is going wrong in either step 5 or 6 as the type-3 is not being sent.
It seems that the Proxy-Authorization header is sent. However, the proxy
server doesn't seem to accept it.
Regards,
Ulrich
>>> New log begin <<<
Text: Rebuilt URL to: http://xyz.com/
Text: Hostname was NOT found in DNS cache
Text: Trying 11.22.33.44...
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Header out: GET http://xyz.com/ HTTP/1.1
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive
Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2634
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
Header in: Proxy-Authenticate: Basic realm="WebAD"
Text: Ignoring the response-body
Data in:
<!DOCTYPE html>
...
</html>
Text: Connection #0 to host 11.22.33.44 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x29c3748
Text: Re-using existing connection! (#0) with host 11.22.33.44
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Text: Proxy auth using NTLM with user 'ABCDE'
Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive
Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2634
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAAAAAAAAGgokAY/FHGP+4pKIAAAAAAAAAA
AAAAAAAAAAA
Text: Ignoring the response-body
Data in:
<!DOCTYPE html>
...
</html>
Text: Connection #0 to host 11.22.33.44 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x29c3748
Text: Re-using existing connection! (#0) with host 11.22.33.44
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Text: Proxy auth using NTLM with user 'ABCDE'
Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAABQ
AFAHAAAAAGAAYAdQAAAAAAAAAAAAAABoKJACjrUgzovGvZAAAAAAA
AAAAAAAAAAAAAAH8aPq9LDPKDglDlt4O+6kw69fgaLSTJNkxYSlFVU0cx
NVlS
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive
Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2639
Header in: Proxy-Connection: Keep-Alive
Text: NTLM handshake rejected
Text: Authentication problem. Ignoring this.
Header in: Proxy-Authenticate: NTLM
Header in: Proxy-Authenticate: Basic realm="WebAD"
Data in:
<!DOCTYPE html>
...
</html>
Text: Connection #0 to host 11.22.33.44 left intact
- cURL Msg short: No error
- cURL Msg detail:
>>> New log end <<<
-- E-Mail privat: Ulrich.Telle_at_gmx.de World Wide Web: http://www.telle-online.de ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2014-09-01