cURL / Mailing Lists / curl-library / Single Mail


RE: Failure with --proxy-anyauth on NTLM

From: Steve Holme <>
Date: Fri, 30 Mar 2012 09:51:49 +0100

Hi Matteo,

> These are the results of the tests (I have no access to the
> ISA-server-Proxy).
> 1. curl.exe --proxy-ntlm --proxy --proxy-user
> user:pass It works fine if --proxy-ntlm
> <> is
> specified.
> 2. curl.exe --proxy-anyauth --proxy --proxy-user
> user:pass It fails.
> 3. curl.exe --proxy-anyauth --proxy-negotiate --proxy
> --proxy-user user:pass It
> fails.

I'm not too familiar with proxy servers from a curl prospective so someone
else might be able to answer your query better than me, but I do know how
the SMTP authentication works in curl so I have just delved into the
http_proxy stuff out of curiosity and some of the following may be useful to

> HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
> authorization to fulfill the request. Access to the Web P roxy filter is
> denied. )
> Via: 1.1 NAS
> Proxy-Authenticate: Negotiate
> Proxy-Authenticate: Kerberos
> Proxy-Authenticate: NTLM

I believe this is where the problem lies...

The server has told curl that it supports GSS Negotiate, Kerberos and NTLM
in that order so curl with CURLAUTH_ANY set has tried to authenticate with
GSS first as that was first in the list. This is then failing because, and
I'm guessing here, your customer has a problem authenticating with GSS - as
indicated by test #3 also failing.

I would try and get the customer to fix up GSS - If they don't want to
support GSS can they turn it off so that the server only advertises NTLM for

If they can't turn it off in ISA Server or don't want to, does your
application have a configuration file (or registry setting if it is Windows
based) where you could specify the preferred authentication mechanism as

I hope this helps a little

Kind Regards


List admin:
Received on 2012-03-30