cURL / Mailing Lists / curl-library / Single Mail


Re: Problem with NTLM proxy authentication

From: Ulrich Telle <>
Date: Fri, 12 Sep 2014 12:30:21 +0200


> > [...] That is, removing the flags seems to have done the trick.
> Whilst I have some experience in this area I'm not a security expert - I'm
> still learning in some respects ;-)
> What I did find from my own testing of the Kerberos 5 support I recently
> added for the email protocols was that these flags served no purpose, if
> you're not encrptying the data, so if you look at the new code in
> curl_sasl_sspi.c I simply pass zero - unless the mutual authentication flag
> is set in which case I pass in ISC_REQ_MUTUAL_AUTH (which we don't use in
> the NTLM code).
> > I have no explanation why the flags seem to have had such a negative
> > effect for some of the users.
> >
> > However, after googling again for some time I found this url
> >
> > and this url
> Interesting finds.
> > My conclusion is that it seems to be better to remove the flags.
> I'm all for removing them if it means we work out of the box with more
> proxy servers.
> Do you think it is worth passing a flag into those functions and
> setting the ISC_REQ_ flags if that flag is set - for the email
> protocols for example or not?

For the calls in curl_ntlm_msgs.c I probably wouldn't do that. However, I'm
no Windows SSPI expert.
> However, I have just tested this against and Exchange 2013 server with
> both single sign on and a specific user account (both with and without
> the domain) and all three tests succeeded with the ISQ_REQ_ flags as
> zero.
> Are you up to providing a patch - I can do it but it is your find so I
> would rather you are credited for the work ;-)

I just submitted a patch to the curl-library list. :-)

Thanks again for bearing with me throughout the process to analyze and to
finally fix the problem!



E-Mail privat:
World Wide Web:
List admin:
Received on 2014-09-12