curl / Mailing Lists / curl-library / Single Mail


Re: [Win][SSPI] proper authentication using SSPI ?

From: Павел Н via curl-library <>
Date: Mon, 26 Jun 2017 22:18:20 +0300

26.06.2017, 16:49, "Павел Н via curl-library" <>:
> Hi all.
> Long time curl and libcurl user and suffering as long to enter proxy creds to the command line.
> In the end this very thing stops us from using libcurl with Windows SSPI in a Windows product, so we suffer even more trying to use WinInet and WinHttp.
> Recently I spent some time and finally figured out what's wrong with all of this. It turns out the change to be made is almost trivially simple: one must supply an SPN to the call of InitializeSecurityContext() instead of an empty string, e.g. 'TEXT("")' in ntlm_sspi.c:
>   status = s_pSecFn->InitializeSecurityContext(ntlm->credentials, NULL,
>                                                (TCHAR *) TEXT(""),
>                                                0, 0, SECURITY_NETWORK_DREP,
>                                                NULL, 0,
>                                                ntlm->context, &type_1_desc,
>                                                &attrs, &expiry);
> as one does in SChannel implementation in 'host_name' schannel.c:
>     sspi_status = s_pSecFn->InitializeSecurityContext(
>       &connssl->cred->cred_handle, &connssl->ctxt->ctxt_handle,
>       host_name, connssl->req_flags, 0, 0, &inbuf_desc, 0, NULL,
>       &outbuf_desc, &connssl->ret_flags, &connssl->ctxt->time_stamp);
> In the case of proxy Chromium does it like this:
> I would REALLY appreciate it if anyone does fix it for me.
> Otherwise it will take me some time to dive in the implementation techniques and coding style to do this, but in the end I will do it for sure.
> Thanks in advance.
> paul
> P.S. Some more details on providing SPN to the call of InitializeSecurityContext().
> If your logon creds are ok to authenticate on the server, then empty string works.
> If the server does not accept you logon creds, but there is a record for the server in Windows Credential Manager for it, the authentication will fail since, i guess, SSPI tries to use only your logon creds.
> However if you supply the host name to the InitializeSecurityContext() call it works either way: if there is a record for the host in Credential Manager, SSPI uses it; if there isn't, SSPI uses your logon creds.
> -------------------------------------------------------------------
> Unsubscribe:
> Etiquette:

Further investigation has shown that negotiate and digest methods currently work just fine (7.54.1) and it is NTLM method that fails.

I guess one simply needs to make InitializeSecurityContext() call in ntlm_sspi.c the same way it is done in digest_sspi.c and spnego_sspi.c.

Received on 2017-06-26