cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: How-To use NTLM proxy authentication?

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Mon, 21 Mar 2005 19:51:59 +0100 (CET)

On Mon, 21 Mar 2005, Augustus Saunders wrote:

> I've got one (multi-part) question and a couple of comments. First, what
> are the steps involved to get NTLM authentication to work? One of our
> clients is using ISA (Microsoft's proxy) and I need to figure this out.
> From the docs, I understand that I need an SSL-enabled library, so I got
> that set up. Then, you
>
> err = curl_easy_setopt(m_curl, CURLOPT_PROXYAUTH, CURLAUTH_ANY);
>
> when you detect you need to go through the proxy. My understanding is that
> libcurl will talk to the proxy and somehow "figure out" which authentication
> method to use if you tell it CURLAUTH_ANY.

That is correct. But you need to provide username and password, since libcurl
can't figure that out[*].

> Do I need to set up any of the SSL options?

No.

> I don't know much about NTLM authentication, but it is my understanding that
> it uses some challenge/response mechanism and that it doesn't require a
> username/password.

The first part is correct, the latter is wrong.

> Does libcurl transparently negotiate this?

It negotiates what auth to use on its own, if told to, yes.

> Right now, I am trapping for 407 responses manually so I can prompt for
> username/password (is this still necessary, or have you added a callback for
> this in the last few years?).

This is necessary. We did in fact _remove_ a callback for this some time
ago...

> If NTLM authentication is being used, will libcurl automatically negotiate
> that such that I never see the 407, or do I have to do something to invoke
> the NTLM hat dance?

If you set the username and password in advanced, you won't get stuck on the
407 but libcurl will continue fine.

> 1) it would be nice if whoever did the MSVC developer distributions would
> make a full complement of libraries for different linking scenarios. I
> eventually got everything to compile, but I had to go in and edit the
> makefiles, which is not comfortable territory for most MSVC types.

The makefiles are written to reduce the need for edits as much as possible.

> 2) I'm guessing this is a bug, but... if I don't set CURLOPT_WRITEFUNCTION
> at all, I get lots of sporadic "Error writing body" errors. I created a
> callback that does nothing, and presto, all the errors went away. Seems
> like this should be the default behavior.

The default behavior was set years ago and I've not yet seen any good reason
to break backwards compatibility in that aspect. Very few apps actually need
or use the default behaviour anyway.

[*] the upcoming libcurl 7.13.2 supports SSPI which _can_ figure out your
     default windows user and password to use for NTLM authentication

-- 
      Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2005-03-21