cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Question: authentication fallbck from kerb to ntlm

From: Koren Shoval <koren99_at_gmail.com>
Date: Tue, 30 Sep 2014 21:36:03 +0300

Hi Steve,

thanks for the answer.

I've taken 7.38 and compiled,

curl 7.38.0 (i386-pc-win32) libcurl/7.38.0 OpenSSL/1.0.0k zlib/1.2.7.3
WinIDN libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s
rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN Largefile SSPI SPNEGO NTLM SSL libz

I've used the "CURLAUTH_NEGOTIATE" value instead of CURLAUTH_GSSNEGOTIATE
|CURLAUTH_NTLM

but still no go....

I guess i agree that if any, it's an issue with SPENGO, but if you have any
other suggestions?

Thanks,
Ren

TRACE OUTPUT:

2014-09-30 21:25:04.447 === [DEBUG] [URL]: '
http://somehostnm:8080/demo/services/hello'
2014-09-30 21:25:04.449 === [DEBUG] [COMMAND]: '"world"'
2014-09-30 21:25:04.450 === [DEBUG] [DEBUG]: 'true'
2014-09-30 21:25:04.450 === [DEBUG] Running Command...
2014-09-30 21:25:04.456 === [DEBUG] [CURL]: setting option
CURLOPT_GSSAPI_DELEGATION: 2
2014-09-30 21:25:04.457 === [DEBUG] [CURL]: setting option CURLOPT_VERBOSE:
1
2014-09-30 21:25:04.457 === [DEBUG] [CURL]: setting option
CURLOPT_HTTP_VERSION: 2
2014-09-30 21:25:04.458 === [DEBUG] [CURL]: setting option CURLOPT_URL:
http://somehostnm:8080/demo/services/hello
2014-09-30 21:25:04.458 === [DEBUG] [CURL]: setting option CURLOPT_NOPROXY:
*
2014-09-30 21:25:04.458 === [DEBUG] [CURL]: setting option CURLOPT_USERPWD:
:
2014-09-30 21:25:04.458 === [DEBUG] [CURL]: setting option CURLOPT_TIMEOUT:
0
2014-09-30 21:25:04.459 === [DEBUG] [CURL]: setting option
CURLOPT_CONNECTTIMEOUT: 30
2014-09-30 21:25:04.459 === [DEBUG] [CURL]: setting option CURLOPT_HEADER: 0
2014-09-30 21:25:04.459 === [DEBUG] [CURL]: setting option
CURLOPT_SSL_VERIFYPEER: 0
2014-09-30 21:25:04.459 === [DEBUG] [CURL]: setting option
CURLOPT_SSL_VERIFYHOST: 0
2014-09-30 21:25:04.460 === [DEBUG] [CURL]: setting option
CURLOPT_FOLLOWLOCATION: 1
2014-09-30 21:25:04.460 === [DEBUG] [CURL]: setting option
CURLOPT_UNRESTRICTED_AUTH: 1
2014-09-30 21:25:04.460 === [DEBUG] [CURL]: setting option
CURLOPT_MAXREDIRS: -1
2014-09-30 21:25:04.461 === [DEBUG] [CURL]: setting option
CURLOPT_USERAGENT: libcurl-demo-agent/1.0
2014-09-30 21:25:04.461 === [DEBUG] [CURL]: setting option
CURLOPT_HTTPAUTH: 4
2014-09-30 21:25:04.461 === [DEBUG] [CURL]: text: Hostname was NOT found in
DNS cache
2014-09-30 21:25:04.476 === [DEBUG] [CURL]: text: Trying 10.184.153.26...
2014-09-30 21:25:04.981 === [DEBUG] [CURL]: text: Connected to somehostnm
(10.184.153.26) port 8080 (#0)
2014-09-30 21:25:05.244 === [DEBUG] [CURL]: => send header: POST
/demo/services/hello HTTP/1.1

User-Agent: libcurl-demo-agent/1.0

Host: somehostnm:8080

Accept: */*

Content-Length: 328

Expect: 100-continue

Content-Type: multipart/form-data;
boundary=------------------------965b2bb4c069a715

2014-09-30 21:25:05.349 === [DEBUG] [CURL]: <= recv header: HTTP/1.1 401
Unauthorized

2014-09-30 21:25:05.349 === [DEBUG] [CURL]: <= recv header: Content-Length:
0
2014-09-30 21:25:05.350 === [DEBUG] [CURL]: text: Server
Microsoft-HTTPAPI/2.0 is not blacklisted
2014-09-30 21:25:05.350 === [DEBUG] [CURL]: <= recv header: Server:
Microsoft-HTTPAPI/2.0
2014-09-30 21:25:05.352 === [DEBUG] [CURL]: <= recv header:
WWW-Authenticate: Negotiate
2014-09-30 21:25:05.352 === [DEBUG] [CURL]: <= recv header:
WWW-Authenticate: NTLM
2014-09-30 21:25:05.353 === [DEBUG] [CURL]: <= recv header: Date: Tue, 30
Sep 2014 18:25:04 GMT
2014-09-30 21:25:05.353 === [DEBUG] [CURL]: text: Closing connection 0
2014-09-30 21:25:05.353 === [DEBUG] [CURL]: text: Issue another request to
this URL: 'http://somehostnm:8080/demo/services/hello'
2014-09-30 21:25:05.354 === [DEBUG] [CURL]: text: Hostname was found in DNS
cache
2014-09-30 21:25:05.354 === [DEBUG] [CURL]: text: Trying 10.184.153.26...
2014-09-30 21:25:05.592 === [DEBUG] [CURL]: text: Connected to somehostnm
(10.184.153.26) port 8080 (#1)
2014-09-30 21:25:05.593 === [DEBUG] [CURL]: text: Server auth using
Negotiate with user ''
2014-09-30 21:25:05.595 === [DEBUG] [CURL]: => send header: POST
/demo/services/hello HTTP/1.1

Authorization: Negotiate
YIIQ5gYGKwYBBQUCoIIQ2jCCENagMDAuBgkqhkiC9xIBAgIGC....3jvLCBgDi0OP9zC+pMqo7nQOFmrpPSw==

User-Agent: libcurl-demo-agent/1.0

Host: somehostnm:8080

Accept: */*

Content-Length: 328

Expect: 100-continue

Content-Type: multipart/form-data;
boundary=------------------------c7aff045fd55c792

2014-09-30 21:25:05.907 === [DEBUG] [CURL]: <= recv header: HTTP/1.1 401
Unauthorized
2014-09-30 21:25:05.908 === [DEBUG] [CURL]: text: Server
Microsoft-HTTPAPI/2.0 is not blacklisted
2014-09-30 21:25:06.213 === [DEBUG] [CURL]: text: Closing connection 1
2014-09-30 21:25:06.213 === [DEBUG] [CURL]: text: Issue another request to
this URL: 'http://somehostnm:8080/demo/services/hello'
2014-09-30 21:25:06.214 === [DEBUG] [CURL]: text: Hostname was found in DNS
cache
2014-09-30 21:25:06.214 === [DEBUG] [CURL]: text: Trying 10.184.153.26...
2014-09-30 21:25:06.443 === [DEBUG] [CURL]: text: Connected to somehostnm
(10.184.153.26) port 8080 (#2)
2014-09-30 21:25:06.444 === [DEBUG] [CURL]: text: Server auth using
Negotiate with user ''
2014-09-30 21:25:06.444 === [DEBUG] [CURL]: => send header: POST
/demo/services/hello HTTP/1.1

Authorization: Negotiate
oYIQrTCCEKmgAwoBAaKCEKAEghCcYIIQmA....+HlNOiVKr5sPxEfrFDHFQpxnE5AL5PusBYkrHrlDw==

User-Agent: libcurl-demo-agent/1.0

Host: somehostnm:8080

Accept: */*

Content-Length: 328

Expect: 100-continue

Content-Type: multipart/form-data;
boundary=------------------------96a8508822e85384

2014-09-30 21:25:06.703 === [DEBUG] [CURL]: <= recv header: HTTP/1.1 400
Bad Request
2014-09-30 21:25:06.704 === [DEBUG] [CURL]: text: Server
Microsoft-HTTPAPI/2.0 is not blacklisted
2014-09-30 21:25:06.704 === [DEBUG] [CURL]: text: HTTP error before end of
send, stop sending
2014-09-30 21:25:06.704 === [DEBUG] [CURL]: text: Closing connection 2
2014-09-30 21:25:06.705 === [ERROR] bad request

On Sat, Sep 27, 2014 at 10:52 PM, Steve Holme <steve_holme_at_hotmail.com>
wrote:

> On Sat 27 Sep 2014, Koren Shoval wrote:
>
> > I'm attempting to use libcurl to connect to a web server that supports
> > both, but some clients can't do kerberos.
>
> When you say some clients can't do Kerberos what do you mean and what
> limitation do you have that is preventing this being used? Is it a
> limitation that means libcurl can't or shouldn't use Kerberos?
>
> > I'm setting CURLOPT_HTTPAUTH to CURLAUTH_GSSNEGOTIATE |
> > CURLAUTH_NTLM
>
> a) What version of libcurl are you using? From the output it looks like a
> version prior to 7.38.0 - if this is the case you might want to ignore my
> questions before and including this section and jump to my comments about
> upgrading ;-)
> b) What platform are you using? Windows, Linux, etc...
> c) If you are using Windows are you using a version of libcurl that was
> compiled against Windows SSPI or one that was compiled with a GSS-API
> library (such as MIT Kerberos or Heimdal)?
>
> > Should libcurl fallback to NTLM?
>
> No...
>
> Unfortunately I'm not one of our HTTP experts so I could be wrong here but
> I'll try and answer the question with my curl authentication hat on and
> some limited HTTP knowledge ;-)
>
> My understanding is that the Negotiate (SPNEGO) authentication mechanism
> will try to perform Kerberos and then fall back to NTLM as part of its
> communication with the server if Kerberos fails. As such you will only see
> "WWW-Authorization: Negotiate" and "WWW-Authenticate: Negotiate" headers
> from the client and server respectively rather than a combination of the
> previous and "WWW-Authorization: NTLM" and "WWW-Authenticate: NTLM".
>
> As such libcurl doesn't need to do the fall back, per se, as the SPNEGO
> communication will handle it for us ;-)
>
> > Am I doing something else wrong?
>
> We fixed a number of issues in 7.38.0 relating to Negotiate with the main
> ones being:
>
> * We weren't using the correct SPNEGO OID when compiled with a GSS-API
> library
> * The fall back to NTLM wasn't performed if Kerberos failed
> * Deprecated CURLAUTH_GSSNEGOTIATE and introduced CURLAUTH_NEGOTIATE
>
> As such, I would recommend you:
>
> * Upgrade to 7.38.0
> * Use CURLAUTH_NEGOTIATE instead of CURLAUTH_GSSNEGOTIATE |CURLAUTH_NTLM
>
> Kind Regards
>
> Steve
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-30

This message: [ Message body ]
Next message: David Chapman: "Re: compiling against libcurl_a_debug, in a c++ exec VC2013"
Previous message: Nagel, Bill: "RE: [PATCH] smtps with openssl"
In reply to: Steve Holme: "RE: Question: authentication fallbck from kerb to ntlm"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]