cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Question: authentication fallbck from kerb to ntlm

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Sat, 27 Sep 2014 20:52:37 +0100

On Sat 27 Sep 2014, Koren Shoval wrote:

> I'm attempting to use libcurl to connect to a web server that supports
> both, but some clients can't do kerberos.

When you say some clients can't do Kerberos what do you mean and what limitation do you have that is preventing this being used? Is it a limitation that means libcurl can't or shouldn't use Kerberos?

> I'm setting CURLOPT_HTTPAUTH to CURLAUTH_GSSNEGOTIATE |
> CURLAUTH_NTLM

a) What version of libcurl are you using? From the output it looks like a version prior to 7.38.0 - if this is the case you might want to ignore my questions before and including this section and jump to my comments about upgrading ;-)
b) What platform are you using? Windows, Linux, etc...
c) If you are using Windows are you using a version of libcurl that was compiled against Windows SSPI or one that was compiled with a GSS-API library (such as MIT Kerberos or Heimdal)?

> Should libcurl fallback to NTLM?

No...

Unfortunately I'm not one of our HTTP experts so I could be wrong here but I'll try and answer the question with my curl authentication hat on and some limited HTTP knowledge ;-)

My understanding is that the Negotiate (SPNEGO) authentication mechanism will try to perform Kerberos and then fall back to NTLM as part of its communication with the server if Kerberos fails. As such you will only see "WWW-Authorization: Negotiate" and "WWW-Authenticate: Negotiate" headers from the client and server respectively rather than a combination of the previous and "WWW-Authorization: NTLM" and "WWW-Authenticate: NTLM".

As such libcurl doesn't need to do the fall back, per se, as the SPNEGO communication will handle it for us ;-)

> Am I doing something else wrong?

We fixed a number of issues in 7.38.0 relating to Negotiate with the main ones being:

* We weren't using the correct SPNEGO OID when compiled with a GSS-API library
* The fall back to NTLM wasn't performed if Kerberos failed
* Deprecated CURLAUTH_GSSNEGOTIATE and introduced CURLAUTH_NEGOTIATE

As such, I would recommend you:

* Upgrade to 7.38.0
* Use CURLAUTH_NEGOTIATE instead of CURLAUTH_GSSNEGOTIATE |CURLAUTH_NTLM

Kind Regards

Steve

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-27