Hello to everybody on the list,

I have a problem with NTLM authentication which is beyond my (quite
limited) experience with the protocol.

In my environment curl runs on its own computer and accesses an IIS
server running on a different machine (a windows 2003 server
computer). The IIS server is set to allow windows integrated
authentication only and is a member of a complex installation with
three domains containing users (in fact many more but only three are
relevant). Finally the computer running curl is not a member of any
windows domain and the computer running IIS is a member of a fourth
domain, different from the three users domains.

The problem is that when curl accesses IIS authenticating as a user
from 2 of the users domains it works flawlessly, while when I try
using any user from the third domain IIS replies with a 500 error
(internal server error), writes a secondary code of 2148074244 in the
log and an error page complaining that

    "The Local Security Authority cannot be contacted"

which corresponds to the secondary code in IIS log. I googled around
for this error but I can only find reports of problems with SSL
certificates, which I'm not using. At first it looked like an IIS/
windows configuration problem but:

  - both IIS and the server work flawlessly, we can log on the server
locally, remotely via terminal server, connect to IIS with explorer
and firefox
  - our domain administrator sweared that all the three domains are
exactly equal.

As far as I can tell from curl -v output, IIS logs and a tcp traffic
dump the NTLM handshake is correctly carried on: curl sends
Authorization: NTLM, the server replies with the challange and curl
replies with its response, but then IIS returns error 500.

Even more strange, firefox indeed *can* authenticate using the same
domain\user and password as curl. Moreover if I pass wrong
authentication credentials to curl (e.g. wrong password) IIS
correctly denies access with an http error 404 which seems to hint
that the credentials are correctly passed to the server.

Puzzled I looked at the differences between firefox and curl packet
dumps and I found two differences in the initial Authorization: NTLM
HTTP header

  - First, firefox sets to 0 the domain offset and host offsets,
while curl sets both of them to 32.

  - Second, firefox passes NTLM flags 0x07 0x82 0x08 0x00, which
should be NTLMFLAG_NEGOTIATE_UNICODE, NTLMFLAG_REQUEST_TARGET,
NTLMFLAG_NEGOTIATE_NTLM_KEY, NTLMFLAG_NEGOTIATE_ALWAYS_SIGN,
NTLMFLAG_NEGOTIATE_NTLM2_KEY.

I'd say that NTLMFLAG_NEGOTIATE_UNICODE is ininfluent here (domain,
username and password are plain ascii), the other flags, well, I
don't know enough of the protocol to tell if they are the cause of
the problem or not.

Did anybody see this behaviour? Does somebody who knows more have any
idea to go on with debugging? Any help is welcome :)

PS: I'm not attaching logs, dumps, debugging output etc in order not
to fill the list with useless information. If you think some more
information is needed, please ask.
Received on 2006-02-23