WebClient with proxy NTLM authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

WebClient with proxy NTLM authentication

Denis Kudriashov
Is WebClient supports proxy NTLM authentication?

If not Can you advise me how two implement it?


Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Andreas.Raab
On 9/16/2010 5:43 AM, Denis Kudriashov wrote:
> Is WebClient supports proxy NTLM authentication?

It doesn't.

> If not Can you advise me how two implement it?

You have basically two options:
1) Implement it from scratch. There are a number of resources that
describe NTLM in detail (basically reverse-engineered since there's no
official documentation), for example:

        http://www.innovation.ch/personal/ronald/ntlm.html

2) Implement it via a plugin using the Microsoft SSP interface. Your
starting point would be here:

        http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx

FWIW, we went for option #2 in our products; the authentication part is
tricky (lots of details) but straightforward in principle (i.e., you
basically call InitializeSecurityContext twice and are done).

Cheers,
   - Andreas

Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Denis Kudriashov
Thank you, Andreas for response.

I really prefer 1) option. I hate C stuff.
I examine VW code for NTLM and It's not really difficult.

And maybe I can use CurlPlugin for that. It's will be more simple solution for me

2010/9/16 Andreas Raab <[hidden email]>
On 9/16/2010 5:43 AM, Denis Kudriashov wrote:
Is WebClient supports proxy NTLM authentication?

It doesn't.


If not Can you advise me how two implement it?

You have basically two options:
1) Implement it from scratch. There are a number of resources that describe NTLM in detail (basically reverse-engineered since there's no official documentation), for example:

       http://www.innovation.ch/personal/ronald/ntlm.html

2) Implement it via a plugin using the Microsoft SSP interface. Your starting point would be here:

       http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx

FWIW, we went for option #2 in our products; the authentication part is tricky (lots of details) but straightforward in principle (i.e., you basically call InitializeSecurityContext twice and are done).

Cheers,
 - Andreas




Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Andreas.Raab
On 9/16/2010 12:03 PM, Denis Kudriashov wrote:
> Thank you, Andreas for response.
>
> I really prefer 1) option. I hate C stuff.
> I examine VW code for NTLM and It's not really difficult.

Could be. My reason to go with option 2) was that doing it this way gets
you Kerberos authentication (Negotiate/SPNEGO) for free, which was a
customer requirement for our deployments.

Cheers,
   - Andreas

>
> And maybe I can use CurlPlugin for that. It's will be more simple
> solution for me
>
> 2010/9/16 Andreas Raab <[hidden email] <mailto:[hidden email]>>
>
>     On 9/16/2010 5:43 AM, Denis Kudriashov wrote:
>
>         Is WebClient supports proxy NTLM authentication?
>
>
>     It doesn't.
>
>
>         If not Can you advise me how two implement it?
>
>
>     You have basically two options:
>     1) Implement it from scratch. There are a number of resources that
>     describe NTLM in detail (basically reverse-engineered since there's
>     no official documentation), for example:
>
>     http://www.innovation.ch/personal/ronald/ntlm.html
>
>     2) Implement it via a plugin using the Microsoft SSP interface. Your
>     starting point would be here:
>
>     http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx
>
>     FWIW, we went for option #2 in our products; the authentication part
>     is tricky (lots of details) but straightforward in principle (i.e.,
>     you basically call InitializeSecurityContext twice and are done).
>
>     Cheers,
>       - Andreas
>
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Andreas.Raab
In reply to this post by Denis Kudriashov
Hi Denis -

I gave it a quick shot and found that the interface is pretty trivial to
implement via FFI. As a consequence I've added a WebClientSSP which
provides support for NTLM authentication via Microsoft SSP through an
FFI interface. To install it you need:

1) The (latest version of) the FFI:

(Installer repository: 'http://source.squeak.org/FFI')
        install: 'FFI-Pools';
        install: 'FFI-Kernel';
        install: 'FFI-Tests'.

2) The WebClient-SSP package:

(Installer repository: 'http://squeaksource.com/WebClient')
        install: 'WebClient-SSP'.

Once installed you should be able to use WebClientSSP with NTLM auth for
both proxy and regular authentication. Do note that I might change the
implementation entirely; I've added WebClientSSP as a subclass so that
it can be loaded and unloaded easily and doesn't affect the core
implementation of WebClient.

WARNING: I have only tested this very rudimentary. In *theory*
WebClientSSP should support NTLM and Kerberos authentication with full
SSO (i.e., if you're attached to a domain you should be able to
authenticate without ever being asked for credentials) but I don't have
the ability to test this from home so my only test was against
sharepointspace.com which provides NTLM auth only. In other words
there's a lot of stuff that hasn't been tested yet, including NTLM proxy
auth, any kind of Negotiate/SPNEGO auth, SSO etc. In short, your mileage
may vary greatly but testing and feedback are obviously welcome.

Cheers,
   - Andreas

On 9/16/2010 12:03 PM, Denis Kudriashov wrote:

> Thank you, Andreas for response.
>
> I really prefer 1) option. I hate C stuff.
> I examine VW code for NTLM and It's not really difficult.
>
> And maybe I can use CurlPlugin for that. It's will be more simple
> solution for me
>
> 2010/9/16 Andreas Raab <[hidden email] <mailto:[hidden email]>>
>
>     On 9/16/2010 5:43 AM, Denis Kudriashov wrote:
>
>         Is WebClient supports proxy NTLM authentication?
>
>
>     It doesn't.
>
>
>         If not Can you advise me how two implement it?
>
>
>     You have basically two options:
>     1) Implement it from scratch. There are a number of resources that
>     describe NTLM in detail (basically reverse-engineered since there's
>     no official documentation), for example:
>
>     http://www.innovation.ch/personal/ronald/ntlm.html
>
>     2) Implement it via a plugin using the Microsoft SSP interface. Your
>     starting point would be here:
>
>     http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx
>
>     FWIW, we went for option #2 in our products; the authentication part
>     is tricky (lots of details) but straightforward in principle (i.e.,
>     you basically call InitializeSecurityContext twice and are done).
>
>     Cheers,
>       - Andreas
>
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Denis Kudriashov
Hello, Andreas.

Sorry for late response.

For me ntlm proxy authorization not work. I try code:

(WebClientSSP new )
    proxyUser: 'GONDOR\dkudryashov';
    proxyPass: '111';
    httpGet: 'http://www.google.com' .

My proxy server is squid/2.6.STABLE21.

After authorization request response stay 407.

Besides after failed authorization webclient try basic authorization and request me for user and password. Maybe its wrong behavior too.


Anyway thank you for your fastest help. I really surprised :))

2010/9/17 Andreas Raab <[hidden email]>
Microsoft SSP



Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Andreas.Raab
Hi Denis -

Like I said, it was little tested :-) If you're interested in helping me
debug this issue, could you do the following:
* Enable the debugLog (i.e., "WebClient debugLog: Transcript")
* Shoot off the request
* Email me the transcript output
Do note that the output may contain sensitive information (i.e., don't
try this with your real credentials) but if you could send me the result
it should help me find out what's going wrong.

Cheers,
   - Andreas

On 9/20/2010 6:48 AM, Denis Kudriashov wrote:

> Hello, Andreas.
>
> Sorry for late response.
>
> For me ntlm proxy authorization not work. I try code:
>
> (WebClientSSP new )
>      proxyUser: 'GONDOR\dkudryashov';
>      proxyPass: '111';
>      httpGet: 'http://www.google.com' .
>
> My proxy server is squid/2.6.STABLE21.
>
> After authorization request response stay 407.
>
> Besides after failed authorization webclient try basic authorization and
> request me for user and password. Maybe its wrong behavior too.
>
>
> Anyway thank you for your fastest help. I really surprised :))
>
> 2010/9/17 Andreas Raab <[hidden email] <mailto:[hidden email]>>
>
>     Microsoft SSP
>
>
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Denis Kudriashov
Ok, I do this tomorrow

20 сентября 2010 г. 20:02:39 UTC+4 пользователь Andreas Raab <[hidden email]> написал:
Hi Denis -

Like I said, it was little tested :-) If you're interested in helping me debug this issue, could you do the following:
* Enable the debugLog (i.e., "WebClient debugLog: Transcript")
* Shoot off the request
* Email me the transcript output
Do note that the output may contain sensitive information (i.e., don't try this with your real credentials) but if you could send me the result it should help me find out what's going wrong.

Cheers,
 - Andreas


On 9/20/2010 6:48 AM, Denis Kudriashov wrote:
Hello, Andreas.

Sorry for late response.

For me ntlm proxy authorization not work. I try code:

(WebClientSSP new )
    proxyUser: 'GONDOR\dkudryashov';
    proxyPass: '111';
    httpGet: 'http://www.google.com' .

My proxy server is squid/2.6.STABLE21.

After authorization request response stay 407.

Besides after failed authorization webclient try basic authorization and
request me for user and password. Maybe its wrong behavior too.


Anyway thank you for your fastest help. I really surprised :))

2010/9/17 Andreas Raab <[hidden email] <mailto:[hidden email]>>

   Microsoft SSP










Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Denis Kudriashov
Hello, I send you log.

request:

(WebClientSSP new )
    debugLog: Transcript;
    proxyUser: 'GONDOR\mmuhin';
    proxyPass: '111';
    httpGet: 'http://www.google.com/' .

Log:

GET http://www.google.com/ HTTP/1.1
User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
Host: www.google.com

HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Tue, 21 Sep 2010 08:57:44 GMT
content-type: text/html
content-length: 1289
expires: Tue, 21 Sep 2010 08:57:44 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
proxy-authenticate: NTLM
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: close

GET http://www.google.com/ HTTP/1.1
User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
Host: www.google.com
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Tue, 21 Sep 2010 08:57:44 GMT
content-type: text/html
content-length: 1289
expires: Tue, 21 Sep 2010 08:57:44 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: close


After that I were requested for login and password (by ui dialogs) and get response:

WebResponse(HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Tue, 21 Sep 2010 08:57:44 GMT
content-type: text/html
content-length: 1289
expires: Tue, 21 Sep 2010 08:57:44 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: close

)


20 сентября 2010 г. 21:06 пользователь Denis Kudriashov <[hidden email]> написал:
Ok, I do this tomorrow

20 сентября 2010 г. 20:02:39 UTC+4 пользователь Andreas Raab <[hidden email]> написал:

Hi Denis -

Like I said, it was little tested :-) If you're interested in helping me debug this issue, could you do the following:
* Enable the debugLog (i.e., "WebClient debugLog: Transcript")
* Shoot off the request
* Email me the transcript output
Do note that the output may contain sensitive information (i.e., don't try this with your real credentials) but if you could send me the result it should help me find out what's going wrong.

Cheers,
 - Andreas


On 9/20/2010 6:48 AM, Denis Kudriashov wrote:
Hello, Andreas.

Sorry for late response.

For me ntlm proxy authorization not work. I try code:

(WebClientSSP new )
    proxyUser: 'GONDOR\dkudryashov';
    proxyPass: '111';
    httpGet: 'http://www.google.com' .

My proxy server is squid/2.6.STABLE21.

After authorization request response stay 407.

Besides after failed authorization webclient try basic authorization and
request me for user and password. Maybe its wrong behavior too.


Anyway thank you for your fastest help. I really surprised :))

2010/9/17 Andreas Raab <[hidden email] <mailto:[hidden email]>>

   Microsoft SSP











Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Andreas.Raab
On 9/21/2010 2:28 AM, Denis Kudriashov wrote:
> Hello, I send you log.

Thanks.

<... snip ...>

> GET http://www.google.com/ HTTP/1.1
> User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
> Host: www.google.com
> Proxy-Authorization: NTLM
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>
> HTTP/1.0 407 Proxy Authentication Required
> server: squid/2.6.STABLE21
> date: Tue, 21 Sep 2010 08:57:44 GMT
> content-type: text/html
> content-length: 1289
> expires: Tue, 21 Sep 2010 08:57:44 GMT
> x-squid-error: ERR_CACHE_ACCESS_DENIED 0
> x-cache: MISS from cache.gondor.fors
> x-cache-lookup: NONE from cache.gondor.fors:3128
> via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
> proxy-connection: close

This is weird. Squid responds as if the client had absolutely no proxy
authentication header sent. I.e., it doesn't even respond with the
challenge to the NTLM auth header although it lists NTLM as
authentication scheme. Are you certain that NTLM is set up properly? If
you are, can you check the squid log files to see if they say anything
"interesting" (i.e., perhaps there's something wrong about the request
but I don't see what that would be.

Cheers,
   - Andreas

Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Andreas.Raab
Hi Denis -

FWIW, it seems that Squid has a (yet again) a few particularities in its
handling of client connections. Apparently, it will not accept NTLM
authentication unless a Proxy-Connection header is present (it should
really take the hint from the HTTP/1.1 header but whatever...)

In any case, with the latest updates to WebClient-Core and WebClient-SSP
I have been able to use squid w/ NTLM proxy authentication successfully.
Give it a try.

Cheers,
   - Andreas

On 9/21/2010 9:39 AM, Andreas Raab wrote:

> On 9/21/2010 2:28 AM, Denis Kudriashov wrote:
>> Hello, I send you log.
>
> Thanks.
>
> <... snip ...>
>> GET http://www.google.com/ HTTP/1.1
>> User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
>> Host: www.google.com
>> Proxy-Authorization: NTLM
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
>>
>> HTTP/1.0 407 Proxy Authentication Required
>> server: squid/2.6.STABLE21
>> date: Tue, 21 Sep 2010 08:57:44 GMT
>> content-type: text/html
>> content-length: 1289
>> expires: Tue, 21 Sep 2010 08:57:44 GMT
>> x-squid-error: ERR_CACHE_ACCESS_DENIED 0
>> x-cache: MISS from cache.gondor.fors
>> x-cache-lookup: NONE from cache.gondor.fors:3128
>> via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
>> proxy-connection: close
>
> This is weird. Squid responds as if the client had absolutely no proxy
> authentication header sent. I.e., it doesn't even respond with the
> challenge to the NTLM auth header although it lists NTLM as
> authentication scheme. Are you certain that NTLM is set up properly? If
> you are, can you check the squid log files to see if they say anything
> "interesting" (i.e., perhaps there's something wrong about the request
> but I don't see what that would be.
>
> Cheers,
> - Andreas
>
>


Reply | Threaded
Open this post in threaded view
|

Re: WebClient with proxy NTLM authentication

Denis Kudriashov
Hello, Andreas.

New versions not work for me too. Send you logs

(WebClientSSP new )
    debugLog: Transcript;
    proxyUser: 'GONDOR\mmuhin';
    proxyPass: '111';
    httpGet: 'http://www.google.com/' .
   

GET http://www.google.com/ HTTP/1.1
User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
Host: www.google.com
Proxy-Connection: keep-alive

HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Fri, 24 Sep 2010 11:53:32 GMT
content-type: text/html
content-length: 1289
expires: Fri, 24 Sep 2010 11:53:32 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
proxy-authenticate: NTLM
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: close

GET http://www.google.com/ HTTP/1.1
User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
Host: www.google.com
Proxy-Connection: keep-alive
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Fri, 24 Sep 2010 11:53:32 GMT
content-type: text/html
content-length: 1289
expires: Fri, 24 Sep 2010 11:53:32 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
proxy-authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAAFgomicUzumBUHieUAAAAAAAAAAGIAYgA8AAAARwBPAE4ARABPAFIAAgAMAEcATwBOAEQATwBSAAEACgBDAEEAQwBIAEUABAAWAGcAbwBuAGQAbwByAC4AZgBvAHIAcwADACIAYwBhAGMAaABlAC4AZwBvAG4AZABvAHIALgBmAG8AcgBzAAAAAAA=
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: keep-alive

GET http://www.google.com/ HTTP/1.1
User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
Host: www.google.com
Proxy-Connection: keep-alive
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABIAAAADAAMAFQAAAAKAAoAYAAAAAAAAACaAAAABYKIogUBKAoAAAAPRwBPAE4ARABPAFIAbQBtAHUAaABpAG4ATQBVAEgASQBOAOiy90rHw+exAAAAAAAAAAAAAAAAAAAAAHi//hvGv5UhEv6kKpIziFD4YaIrdLL6IA==

HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Fri, 24 Sep 2010 11:53:32 GMT
content-type: text/html
content-length: 1289
expires: Fri, 24 Sep 2010 11:53:32 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
proxy-authenticate: NTLM
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: close


Empty token (invalid credentials)


Now I cant get logs from proxy server

Best regards,
Denis


24 сентября 2010 г. 5:58 пользователь Andreas Raab <[hidden email]> написал:
Hi Denis -

FWIW, it seems that Squid has a (yet again) a few particularities in its handling of client connections. Apparently, it will not accept NTLM authentication unless a Proxy-Connection header is present (it should really take the hint from the HTTP/1.1 header but whatever...)

In any case, with the latest updates to WebClient-Core and WebClient-SSP I have been able to use squid w/ NTLM proxy authentication successfully. Give it a try.

Cheers,
 - Andreas


On 9/21/2010 9:39 AM, Andreas Raab wrote:
On 9/21/2010 2:28 AM, Denis Kudriashov wrote:
Hello, I send you log.

Thanks.

<... snip ...>
GET http://www.google.com/ HTTP/1.1
User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32)
Host: www.google.com
Proxy-Authorization: NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

HTTP/1.0 407 Proxy Authentication Required
server: squid/2.6.STABLE21
date: Tue, 21 Sep 2010 08:57:44 GMT
content-type: text/html
content-length: 1289
expires: Tue, 21 Sep 2010 08:57:44 GMT
x-squid-error: ERR_CACHE_ACCESS_DENIED 0
x-cache: MISS from cache.gondor.fors
x-cache-lookup: NONE from cache.gondor.fors:3128
via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21)
proxy-connection: close

This is weird. Squid responds as if the client had absolutely no proxy
authentication header sent. I.e., it doesn't even respond with the
challenge to the NTLM auth header although it lists NTLM as
authentication scheme. Are you certain that NTLM is set up properly? If
you are, can you check the squid log files to see if they say anything
"interesting" (i.e., perhaps there's something wrong about the request
but I don't see what that would be.

Cheers,
- Andreas