cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem with NTLM proxy authentication

From: Ulrich Telle <Ulrich.Telle_at_gmx.de>
Date: Mon, 01 Sep 2014 12:45:40 +0200

Steve,

> Just out of interest have you tried a non-SSPI build?

In the meantime I generated a non-SSPI version of my application and one
user tested it, again without success.

> What return code do you get back from libcurl?

The return code is always CURLE_OK, that is, no error. However, the HTTP
response code keeps to be 407.

> The reason I ask is, from the log at least, it looks like the decoding
> of the NTLM type-2 message and creation of the NTLM type-3 message
> fails. I would be very intrigued to know if that is the case or not.

I see an additional informal message from libcurl, namely

Text: NTLM handshake rejected
Text: Authentication problem. Ignoring this.

(Complete log below).

> Basically the following happens:
>
> 1) Your Proxy Server is advertising that it support both NTLM and Basic authentication.
> 2) Libcurl chooses NTLM as it is more secure than Basic - unless you tell libcurl differently.
> 3) Libcurl will then send a Proxy-Authorization containing the chosen mechanism and NTLM type-1 message which has been created by the Windows SSPI functions and Base-64 encoded by libcurl
> 4) The Proxy Server receives that, decodes it, processes it and responds with another 407 containing a NTLM type-2 message if all is good.
> 5) Libcurl receives the 407, decodes the Base-64 encoded message and passes it to the SSPI functions to process and generate a NTLM type-3 message.
> 6) Libcurl then encodes the type-3 and sends it to the server in another request via the Proxy-Authorization header.
>
> My guess is something is going wrong in either step 5 or 6 as the type-3 is not being sent.

It seems that the Proxy-Authorization header is sent. However, the proxy
server doesn't seem to accept it.

Regards,

Ulrich

>>> New log begin <<<

Text: Rebuilt URL to: http://xyz.com/
Text: Hostname was NOT found in DNS cache
Text: Trying 11.22.33.44...
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Header out: GET http://xyz.com/ HTTP/1.1
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2634
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
Header in: Proxy-Authenticate: Basic realm="WebAD"

Text: Ignoring the response-body

Data in:
<!DOCTYPE html>
...
</html>

Text: Connection #0 to host 11.22.33.44 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x29c3748
Text: Re-using existing connection! (#0) with host 11.22.33.44
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Text: Proxy auth using NTLM with user 'ABCDE'

Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2634
Header in: Proxy-Connection: Keep-Alive
Header in: Proxy-Authenticate: NTLM
TlRMTVNTUAACAAAAAAAAAAAAAAAGgokAY/FHGP+4pKIAAAAAAAAAA
AAAAAAAAAAA

Text: Ignoring the response-body

Data in:
<!DOCTYPE html>
...
</html>
 
Text: Connection #0 to host 11.22.33.44 left intact
Text: Issue another request to this URL: 'http://xyz.com/'
Text: Found bundle for host xyz.com: 0x29c3748
Text: Re-using existing connection! (#0) with host 11.22.33.44
Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0)
Text: Proxy auth using NTLM with user 'ABCDE'

Header out: GET http://xyz.com/ HTTP/1.1
Proxy-Authorization: NTLM
TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAABQ
AFAHAAAAAGAAYAdQAAAAAAAAAAAAAABoKJACjrUgzovGvZAAAAAAA
AAAAAAAAAAAAAAH8aPq9LDPKDglDlt4O+6kw69fgaLSTJNkxYSlFVU0cx
NVlS
Host: xyz.com
Accept: */*
Proxy-Connection: Keep-Alive

Header in: HTTP/1.1 407 authenticationrequired
Header in: Content-Type: text/html
Header in: Cache-Control: no-cache
Header in: Content-Length: 2639
Header in: Proxy-Connection: Keep-Alive

Text: NTLM handshake rejected
Text: Authentication problem. Ignoring this.

Header in: Proxy-Authenticate: NTLM
Header in: Proxy-Authenticate: Basic realm="WebAD"

Data in:
<!DOCTYPE html>
...
</html>

Text: Connection #0 to host 11.22.33.44 left intact

 - cURL Msg short: No error
 - cURL Msg detail:

>>> New log end <<<

-- 
E-Mail privat:  Ulrich.Telle_at_gmx.de
World Wide Web: http://www.telle-online.de
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-01