curl / Mailing Lists / curl-library / Single Mail


[Win][SSPI] proper authentication using SSPI ?

From: Павел Н via curl-library <>
Date: Mon, 26 Jun 2017 16:24:57 +0300

Hi all.

Long time curl and libcurl user and suffering as long to enter proxy creds to the command line.

In the end this very thing stops us from using libcurl with Windows SSPI in a Windows product, so we suffer even more trying to use WinInet and WinHttp.

Recently I spent some time and finally figured out what's wrong with all of this. It turns out the change to be made is almost trivially simple: one must supply an SPN to the call of InitializeSecurityContext() instead of an empty string, e.g. 'TEXT("")' in ntlm_sspi.c:

  status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
                                               (TCHAR *) TEXT(""),
                                               0, 0, SECURITY_NETWORK_DREP,
                                               NULL, 0,
                                               ntlm->context, &type_1_desc,
                                               &attrs, &expiry);

as one does in SChannel implementation in 'host_name' schannel.c:

    sspi_status = s_pSecFn->InitializeSecurityContext(
      &connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle,
      host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL,
      &outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp);

In the case of proxy Chromium does it like this:


I would REALLY appreciate it if anyone does fix it for me.

Otherwise it will take me some time to dive in the implementation techniques and coding style to do this, but in the end I will do it for sure.

Thanks in advance.


P.S. Some more details on providing SPN to the call of InitializeSecurityContext().
If your logon creds are ok to authenticate on the server, then empty string works.
If the server does not accept you logon creds, but there is a record for the server in Windows Credential Manager for it, the authentication will fail since, i guess, SSPI tries to use only your logon creds.
However if you supply the host name to the InitializeSecurityContext() call it works either way: if there is a record for the host in Credential Manager, SSPI uses it; if there isn't, SSPI uses your logon creds.
Received on 2017-06-26