cURL / Mailing Lists / curl-library / Single Mail

curl-library

Problem with NTLM proxy authentication

From: Ulrich Telle <Ulrich.Telle_at_gmx.de>
Date: Fri, 29 Aug 2014 15:43:27 +0200

For my application I use libcurl 7.37.1 on Windows, compiled with VC++
2010, with WINDOWS_SSPI enabled.

When used from behind a company firewall the application fails to connect to
the Internet for some users.

I turned on CURLOPT_VERBOSE to get some more information what's
going on, but I have to admit that I'm at a loss whether this is a problem
related to my own application (for example, missing information to be sent to
the proxy) or to the proxy server (for example, missconfiguration).

When I use the application from behind the firewall of my company the
application authenticates via NTLM successfully and can access the required
URL without problems.

From another user located behind the firewall of his company I got the
logged information of CURLOPT_VERBOSE. The output is very similar to
what I get on my own computer. The NTLM authentication procedure seems
to be started correctly. However, the last step, re-issuing the request using a
"PROXY-AUTHORIZATION" header is missing.

Below I copied in the relevant parts of the log on my own computer and of
the log on the computer of the other user.

Any pointer what might be going wrong on the computer of the other user
would be very much appreciated.

Regards,

Ulrich

>>> Sample log from my own computer - successful <<<

Text: Rebuilt URL to: http://xyz.com/
Text: Hostname was NOT found in DNS cache
Text: Trying 10.20.30.40...
Text: Connected to 10.20.30.40 (10.20.30.40) port 8080 (#0)

Header out: GET http://xyz.com/ HTTP/1.1
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 4661
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
Header in: Proxy-Authenticate: Basic realm="Web Gateway"

Text: Ignoring the response-body

Data in:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
</html>

Text: Connection #0 to host 10.20.30.40 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x2642a70
Text: Re-using existing connection! (#0) with host 10.20.30.40
Text: Connected to 10.20.30.40 (10.20.30.40) port 8080 (#0)
Text: Proxy auth using NTLM with user ''

Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlQWERTZSDESDESDE7II4gkACQAuCVBGFgDFGTgZZZUUUbEdAAAAD
0JZWVJTQUJZQUNDT1VOVA==
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 4661
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
TlRMTVNTUAACBBBBBBBBBBBBAAA1gongWv+dh/0VGEQBBBBBBBBB
BBBBBBBBBBBB

Text: Ignoring the response-body

Data in:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
</html>

Text: Connection #0 to host 10.20.30.40 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x2642a70
Text: Re-using existing connection! (#0) with host 10.20.30.40
Text: Connected to 10.20.30.40 (10.20.30.40) port 8080 (#0)
Text: Proxy auth using NTLM with user ''

Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAADbvbvbvbYAbvbvbvbvbvblAAAbvbvbvbvbAbvbvbGAGoAAA
AMAAwAcAAAABAAEACsAAAANYKI4gYBsR0AAAAPpfKBZfzJWaoABpHp
CMKKtUIAWQBBAEMAQwBPAFUATgBUAFQARQBVAEIAWQBZAFIAUwB
BAA30nEcx5j0PbbbbbbbbbbbbbbbbbbbbAB8mI5lZzL0vbvbvBvbvbvLvbvbsk
GqkXViAU0XVvW0pd0gjaeOJOWg=
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 200 OK
Header in: Date: Thu, 28 Aug 2014 11:00:22 GMT
Header in: Content-Type: text/html; charset=utf-8
Header in: ...
Header in: Proxy-Connection: Keep-Alive
Header in: Transfer-Encoding: chunked

Data in: 9989
<?xml version="1.0" encoding="utf-8"?>
...
</html>
0

Text: Connection #0 to host 10.20.30.40 left intact

>>> End of log <<<

>>> Sample log from another user - NOT successful <<<

Text: Rebuilt URL to: http://xyz.com/
Text: Hostname was NOT found in DNS cache
Text: Trying 11.22.33.44...
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)

Header out: GET http://xyz.com/ HTTP/1.1
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2637
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
Header in: Proxy-Authenticate: Basic realm="CompanyAD"

Text: Ignoring the response-body

Data in:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
</html>

Text: Connection #0 to host 11.22.33.44 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x2c780c0
Text: Re-using existing connection! (#0) with host 11.22.33.44
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Text: Proxy auth using NTLM with user ''

Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAt7II4gcABwAuAAFFFFFFFFFFFFFFFFEdAAAAFFFF
FFFFFFxYLUVNRUE=
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2637
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
TlRFFGGHHAACAABBBBBBABBBBAA1gongzXgdkoL6puUBBBBBBBBBB
BBBBBBBBAAA

Text: Ignoring the response-body

Data in:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...
</html>

Text: Connection #0 to host 11.22.33.44 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x2c780c0
Text: Re-using existing connection! (#0) with host 11.22.33.44
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)

Text: Connection #0 to host 11.22.33.44 left intact

>>> End of log <<<

-- 
E-Mail privat:  Ulrich.Telle_at_gmx.de
World Wide Web: http://www.telle-online.de
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-08-29