cURL / Mailing Lists / curl-library / Single Mail


Re: Problem with NTLM proxy authentication

From: Ulrich Telle <>
Date: Thu, 11 Sep 2014 21:45:42 +0200

> > One difference I see in the source code of the SSPI authentication
> > module of FireFox is that SSPI function InitializeSecurityContext is
> > called without any of the flags libcurl is using:
> I wonder whether we are being "too strict" in some respects. The libcurl
> NTLM SSPI code (as far as I can remember) has been like that for years.
> Have you tried and if not can you try removing some or even all of
> those flags and passing 0 in your version of libcurl?

I created a libcurl version in which I replaced the combination of flags


by simply 0 (zero) (which is equivalent to ISC_REQ_CONNECTION according to the documentation of InitializeSecurityContext).

I tested this new version within my own comapany: it (still) worked. So it seems the flags are not required for normal operation.

Then, this morning I asked one user in Far East and one user in Germany to perform a test. For both the test succeeded. That is, removing the flags seems to have done the trick.

I have no explanation why the flags seem to have had such a negative effect for some of the users.

However, after googling again for some time I found this url

regarding ISC_REQ_CONFIDENTIALITY, stating that it has no effect for HTTP;

and this url

where someone experienced the same problem with the error code SEC_E_INVALID_TOKEN from InitializeSecurityContext. In this thread Shane Kearns added a comment - 27/Jun/12 12:50 PM stating:

"ISC_REQ_CONFIDENTIALITY seems to be the one causing a problem. However I don't think we need replay detection either - the proxy is authenticating us rather than the other way around.  ..."

My conclusion is that it seems to be better to remove the flags.


E-Mail privat:
World Wide Web:


List admin:
Received on 2014-09-11