RE: Problem with NTLM proxy authentication
Date: Thu, 11 Sep 2014 21:48:05 +0100
On Thu, 11 Sep 2014, Ulrich Telle wrote:
> > I wonder whether we are being "too strict" in some respects. The libcurl
> > NTLM SSPI code (as far as I can remember) has been like that for years.
> > Have you tried and if not can you try removing some or even all of
> > those flags and passing 0 in your version of libcurl?
> I created a libcurl version in which I replaced the combination of flags
> ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION
> by simply 0 (zero) (which is equivalent to ISC_REQ_CONNECTION according
> to the documentation of InitializeSecurityContext).
> I tested this new version within my own comapany: it (still) worked. So it
> the flags are not required for normal operation.
> Then, this morning I asked one user in Far East and one user in Germany to
> perform a test. For both the test succeeded. That is, removing the flags
> have done the trick.
Whilst I have some experience in this area I'm not a security expert - I'm
still learning in some respects ;-)
What I did find from my own testing of the Kerberos 5 support I recently
added for the email protocols was that these flags served no purpose, if
you're not encrptying the data, so if you look at the new code in
curl_sasl_sspi.c I simply pass zero - unless the mutual authentication flag
is set in which case I pass in ISC_REQ_MUTUAL_AUTH (which we don't use in
the NTLM code).
> I have no explanation why the flags seem to have had such a negative
> some of the users.
> However, after googling again for some time I found this url
> and this url
> My conclusion is that it seems to be better to remove the flags.
I'm all for removing them if it means we work out of the box with more proxy
Do you think it is worth passing a flag into those functions and setting the
ISC_REQ_ flags if that flag is set - for the email protocols for example or
However, I have just tested this against and Exchange 2013 server with both
single sign on and a specific user account (both with and without the
domain) and all three tests succeeded with the ISQ_REQ_ flags as zero.
Are you up to providing a patch - I can do it but it is your find so I would
rather you are credited for the work ;-)
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2014-09-11