cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NTLM, HTTP 100 Continue, and IIS 6 / .NET 1.1

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Wed, 24 Mar 2004 10:13:45 +0100 (CET)

On Wed, 24 Mar 2004, Alan Pinstein wrote:

> This is obviously inefficient if your POST body is large, so it seems that
> in newer versions of libcurl this has been optimized, and libcurl instead
> DOES NOT send the POST body, opting instead to send an "Expect:
> 100-continue" header, and only passing on the POST body when the server
> responds with "HTTP 100 Continue".

Correct. This seems to be the best way to deal with this. It also has the
added benefit that if the server doesn't require any authentication libcurl
won't attempt to perform any.

> Sadly it seems that IIS 6, something about either the NTLM handshake or the
> HTTP 100 stuff is not working properly in 7.11.1:

I've tried to read RFC2616 and RFC2617 when it comes to authentication and I
believe libcurl is doing the right thing now. I may of course be wrong. Added
to this, NTLM is a secret proprietary protocol so there might even be hidden
features in there that we don't do correct.

> --------- libcurl 7.11.1 talking to IIS 6.0/.NET 1.1 ---------------

...

> 010.000.001.101.50729-065.161.004.200.00080: POST
> /mediabinwebservice/MediaBinServer.asmx HTTP/1.1
> Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=

"TlRMTVNTUAAB" identifies this NTLM package as a type-1 message, which is the
first one that a client sends.

> Host: mediabin.interwoven.com
> Pragma: no-cache
> Accept: */*
> User-Agent:MediaBin Mac Native Client
> Content-Type:text/xml; charset=utf-8
> SOAPAction:"http://www.mediabin.com/GetMediaBinServerName"
> Content-Length: 308

A POST request must have a Content-Length:, so this is provided.

> Expect: 100-continue

And this header is our way to say that we may not have the correct
authentication (yet), please confirm with a 100 to make us continue to do the
actual post.

> 065.161.004.200.00080-010.000.001.101.50729: HTTP/1.1 400 Bad Request
> Content-Type: text/html
> Date: Wed, 24 Mar 2004 05:12:03 GMT
> Connection: close
> Content-Length: 35

Do you have any logs or anything in the server end when it decides that this
is a bad request? I can't see what's wrong with it!

> I am hoping someone could provide an opinion as to whether IIS 6 is
> misbehaving in this circumstance, or whether instead libcurl is.

In my view, the server should accept this request and send a NTLM type-2
response.

> For reference, when I connect with libcurl-7.11.1 to IIS 5.0/.NET 1.0,
> libcurl can talk .NET with NTLM just fine. It seems to use a different
> approach in this case:

> 010.000.001.101.50652-010.000.001.108.00080: POST
> /mediabinwebservice/MediaBinServer.asmx HTTP/1.1

...

> 010.000.001.108.00080-010.000.001.101.50652: HTTP/1.1 100 Continue
> Server: Microsoft-IIS/5.0
> Date: Wed, 24 Mar 2004 05:04:37 GMT

....

> 010.000.001.108.00080-010.000.001.101.50652: HTTP/1.1 401 Unauthorized
> WWW-Authenticate: NTLM

I find it funny that they first give a 100 followed by a 401. It seems
unnecessary...

> 010.000.001.101.50652-010.000.001.108.00080: POST
> /mediabinwebservice/MediaBinServer.asmx HTTP/1.1
> Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA=
> Content-Length: 308
> Expect: 100-continue

...

> 010.000.001.108.00080-010.000.001.101.50652: HTTP/1.1 401 Access Denied
> Server: Microsoft-IIS/5.0
> WWW-Authenticate: NTLM
> TlRMTVNTUAACAAAAAAAAADAAAAACAgAAlZX/LXI5ceYAAAAAAAAAAAAAAAAwAAAA
> Content-Length: 4033
> Content-Type: text/html

Yes, here we can see that in the exact same scenario as above, this server
responds with a 401 and a NTLM type-2 message ("TlRMTVNTUAAC" shows this).

This is the behaviour I would expect.

> 010.000.001.101.50652-010.000.001.108.00080: POST
> /mediabinwebservice/MediaBinServer.asmx HTTP/1.1
> Authorization: NTLM
> TlRMTVNTUAADAAAAGAAYAE0AAAAAAAAAZQAAAAAAAABAAAAADQANAEAAAAAAAAAATQAAAAAA
> AABlAAAAAYIAAGFkbWluaXN0cmF0b3KmBCTJa4n481uTDMKbdDBS2mmqUV3ybaQ=
> Content-Type:text/xml; charset=utf-8
> SOAPAction:"http://www.mediabin.com/GetMediaBinServerName"
> Content-Length: 308

...

> 010.000.001.108.00080-010.000.001.101.50652: HTTP/1.1 100 Continue
> Server: Microsoft-IIS/5.0
> Date: Wed, 24 Mar 2004 05:04:39 GMT
>
> 010.000.001.108.00080-010.000.001.101.50652: HTTP/1.1 200 OK

...

> Microsoft is in fact being very helpful and responsive, and I'd like to give
> them as much good information as I can both to fix my situation and improve
> libcurl.

Let me know if there's anything else I can do to help.

-- 
     Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
      Dedicated custom curl help for hire: http://haxx.se/curl.html
Received on 2004-03-24