WebClient with proxy NTLM authentication
Locked
WebClient with proxy NTLM authentication
 
|
Is WebClient supports proxy NTLM authentication?
If not Can you advise me how two implement it? |
Re: WebClient with proxy NTLM authentication
|
|
On 9/16/2010 5:43 AM, Denis Kudriashov wrote:
> Is WebClient supports proxy NTLM authentication? It doesn't. > If not Can you advise me how two implement it? You have basically two options: 1) Implement it from scratch. There are a number of resources that describe NTLM in detail (basically reverse-engineered since there's no official documentation), for example: http://www.innovation.ch/personal/ronald/ntlm.html 2) Implement it via a plugin using the Microsoft SSP interface. Your starting point would be here: http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx FWIW, we went for option #2 in our products; the authentication part is tricky (lots of details) but straightforward in principle (i.e., you basically call InitializeSecurityContext twice and are done). Cheers, - Andreas |
Re: WebClient with proxy NTLM authentication
|
|
Thank you, Andreas for response.
I really prefer 1) option. I hate C stuff. I examine VW code for NTLM and It's not really difficult. And maybe I can use CurlPlugin for that. It's will be more simple solution for me 2010/9/16 Andreas Raab <[hidden email]>
|
Re: WebClient with proxy NTLM authentication
|
|
On 9/16/2010 12:03 PM, Denis Kudriashov wrote:
> Thank you, Andreas for response. > > I really prefer 1) option. I hate C stuff. > I examine VW code for NTLM and It's not really difficult. Could be. My reason to go with option 2) was that doing it this way gets you Kerberos authentication (Negotiate/SPNEGO) for free, which was a customer requirement for our deployments. Cheers, - Andreas > > And maybe I can use CurlPlugin for that. It's will be more simple > solution for me > > 2010/9/16 Andreas Raab <[hidden email] <mailto:[hidden email]>> > > On 9/16/2010 5:43 AM, Denis Kudriashov wrote: > > Is WebClient supports proxy NTLM authentication? > > > It doesn't. > > > If not Can you advise me how two implement it? > > > You have basically two options: > 1) Implement it from scratch. There are a number of resources that > describe NTLM in detail (basically reverse-engineered since there's > no official documentation), for example: > > http://www.innovation.ch/personal/ronald/ntlm.html > > 2) Implement it via a plugin using the Microsoft SSP interface. Your > starting point would be here: > > http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx > > FWIW, we went for option #2 in our products; the authentication part > is tricky (lots of details) but straightforward in principle (i.e., > you basically call InitializeSecurityContext twice and are done). > > Cheers, > - Andreas > > > > > |
Re: WebClient with proxy NTLM authentication
|
|
In reply to this post by Denis Kudriashov
Hi Denis -
I gave it a quick shot and found that the interface is pretty trivial to implement via FFI. As a consequence I've added a WebClientSSP which provides support for NTLM authentication via Microsoft SSP through an FFI interface. To install it you need: 1) The (latest version of) the FFI: (Installer repository: 'http://source.squeak.org/FFI') install: 'FFI-Pools'; install: 'FFI-Kernel'; install: 'FFI-Tests'. 2) The WebClient-SSP package: (Installer repository: 'http://squeaksource.com/WebClient') install: 'WebClient-SSP'. Once installed you should be able to use WebClientSSP with NTLM auth for both proxy and regular authentication. Do note that I might change the implementation entirely; I've added WebClientSSP as a subclass so that it can be loaded and unloaded easily and doesn't affect the core implementation of WebClient. WARNING: I have only tested this very rudimentary. In *theory* WebClientSSP should support NTLM and Kerberos authentication with full SSO (i.e., if you're attached to a domain you should be able to authenticate without ever being asked for credentials) but I don't have the ability to test this from home so my only test was against sharepointspace.com which provides NTLM auth only. In other words there's a lot of stuff that hasn't been tested yet, including NTLM proxy auth, any kind of Negotiate/SPNEGO auth, SSO etc. In short, your mileage may vary greatly but testing and feedback are obviously welcome. Cheers, - Andreas On 9/16/2010 12:03 PM, Denis Kudriashov wrote: > Thank you, Andreas for response. > > I really prefer 1) option. I hate C stuff. > I examine VW code for NTLM and It's not really difficult. > > And maybe I can use CurlPlugin for that. It's will be more simple > solution for me > > 2010/9/16 Andreas Raab <[hidden email] <mailto:[hidden email]>> > > On 9/16/2010 5:43 AM, Denis Kudriashov wrote: > > Is WebClient supports proxy NTLM authentication? > > > It doesn't. > > > If not Can you advise me how two implement it? > > > You have basically two options: > 1) Implement it from scratch. There are a number of resources that > describe NTLM in detail (basically reverse-engineered since there's > no official documentation), for example: > > http://www.innovation.ch/personal/ronald/ntlm.html > > 2) Implement it via a plugin using the Microsoft SSP interface. Your > starting point would be here: > > http://msdn.microsoft.com/en-us/library/aa375512%28VS.85%29.aspx > > FWIW, we went for option #2 in our products; the authentication part > is tricky (lots of details) but straightforward in principle (i.e., > you basically call InitializeSecurityContext twice and are done). > > Cheers, > - Andreas > > > > > |
Re: WebClient with proxy NTLM authentication
|
|
Hello, Andreas.
Sorry for late response. For me ntlm proxy authorization not work. I try code: (WebClientSSP new ) proxyUser: 'GONDOR\dkudryashov'; proxyPass: '111'; httpGet: 'http://www.google.com' . My proxy server is squid/2.6.STABLE21. After authorization request response stay 407. Besides after failed authorization webclient try basic authorization and request me for user and password. Maybe its wrong behavior too. Anyway thank you for your fastest help. I really surprised :)) |
Re: WebClient with proxy NTLM authentication
|
|
Hi Denis -
Like I said, it was little tested :-) If you're interested in helping me debug this issue, could you do the following: * Enable the debugLog (i.e., "WebClient debugLog: Transcript") * Shoot off the request * Email me the transcript output Do note that the output may contain sensitive information (i.e., don't try this with your real credentials) but if you could send me the result it should help me find out what's going wrong. Cheers, - Andreas On 9/20/2010 6:48 AM, Denis Kudriashov wrote: > Hello, Andreas. > > Sorry for late response. > > For me ntlm proxy authorization not work. I try code: > > (WebClientSSP new ) > proxyUser: 'GONDOR\dkudryashov'; > proxyPass: '111'; > httpGet: 'http://www.google.com' . > > My proxy server is squid/2.6.STABLE21. > > After authorization request response stay 407. > > Besides after failed authorization webclient try basic authorization and > request me for user and password. Maybe its wrong behavior too. > > > Anyway thank you for your fastest help. I really surprised :)) > > 2010/9/17 Andreas Raab <[hidden email] <mailto:[hidden email]>> > > Microsoft SSP > > > > > |
Re: WebClient with proxy NTLM authentication
|
|
Ok, I do this tomorrow
20 сентября 2010 г. 20:02:39 UTC+4 пользователь Andreas Raab <[hidden email]> написал: Hi Denis - |
Re: WebClient with proxy NTLM authentication
|
|
Hello, I send you log.
request: (WebClientSSP new ) debugLog: Transcript; proxyUser: 'GONDOR\mmuhin'; proxyPass: '111'; httpGet: 'http://www.google.com/' . Log: GET http://www.google.com/ HTTP/1.1 User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) Host: www.google.com HTTP/1.0 407 Proxy Authentication Required server: squid/2.6.STABLE21 date: Tue, 21 Sep 2010 08:57:44 GMT content-type: text/html content-length: 1289 expires: Tue, 21 Sep 2010 08:57:44 GMT x-squid-error: ERR_CACHE_ACCESS_DENIED 0 proxy-authenticate: NTLM x-cache: MISS from cache.gondor.fors x-cache-lookup: NONE from cache.gondor.fors:3128 via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) proxy-connection: close GET http://www.google.com/ HTTP/1.1 User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) Host: www.google.com Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== HTTP/1.0 407 Proxy Authentication Required server: squid/2.6.STABLE21 date: Tue, 21 Sep 2010 08:57:44 GMT content-type: text/html content-length: 1289 expires: Tue, 21 Sep 2010 08:57:44 GMT x-squid-error: ERR_CACHE_ACCESS_DENIED 0 x-cache: MISS from cache.gondor.fors x-cache-lookup: NONE from cache.gondor.fors:3128 via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) proxy-connection: close After that I were requested for login and password (by ui dialogs) and get response: WebResponse(HTTP/1.0 407 Proxy Authentication Required server: squid/2.6.STABLE21 date: Tue, 21 Sep 2010 08:57:44 GMT content-type: text/html content-length: 1289 expires: Tue, 21 Sep 2010 08:57:44 GMT x-squid-error: ERR_CACHE_ACCESS_DENIED 0 x-cache: MISS from cache.gondor.fors x-cache-lookup: NONE from cache.gondor.fors:3128 via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) proxy-connection: close ) 20 сентября 2010 г. 21:06 пользователь Denis Kudriashov <[hidden email]> написал: Ok, I do this tomorrow |
Re: WebClient with proxy NTLM authentication
|
|
On 9/21/2010 2:28 AM, Denis Kudriashov wrote:
> Hello, I send you log. Thanks. <... snip ...> > GET http://www.google.com/ HTTP/1.1 > User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) > Host: www.google.com > Proxy-Authorization: NTLM > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > > HTTP/1.0 407 Proxy Authentication Required > server: squid/2.6.STABLE21 > date: Tue, 21 Sep 2010 08:57:44 GMT > content-type: text/html > content-length: 1289 > expires: Tue, 21 Sep 2010 08:57:44 GMT > x-squid-error: ERR_CACHE_ACCESS_DENIED 0 > x-cache: MISS from cache.gondor.fors > x-cache-lookup: NONE from cache.gondor.fors:3128 > via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) > proxy-connection: close This is weird. Squid responds as if the client had absolutely no proxy authentication header sent. I.e., it doesn't even respond with the challenge to the NTLM auth header although it lists NTLM as authentication scheme. Are you certain that NTLM is set up properly? If you are, can you check the squid log files to see if they say anything "interesting" (i.e., perhaps there's something wrong about the request but I don't see what that would be. Cheers, - Andreas |
Re: WebClient with proxy NTLM authentication
|
|
Hi Denis -
FWIW, it seems that Squid has a (yet again) a few particularities in its handling of client connections. Apparently, it will not accept NTLM authentication unless a Proxy-Connection header is present (it should really take the hint from the HTTP/1.1 header but whatever...) In any case, with the latest updates to WebClient-Core and WebClient-SSP I have been able to use squid w/ NTLM proxy authentication successfully. Give it a try. Cheers, - Andreas On 9/21/2010 9:39 AM, Andreas Raab wrote: > On 9/21/2010 2:28 AM, Denis Kudriashov wrote: >> Hello, I send you log. > > Thanks. > > <... snip ...> >> GET http://www.google.com/ HTTP/1.1 >> User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) >> Host: www.google.com >> Proxy-Authorization: NTLM >> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >> >> HTTP/1.0 407 Proxy Authentication Required >> server: squid/2.6.STABLE21 >> date: Tue, 21 Sep 2010 08:57:44 GMT >> content-type: text/html >> content-length: 1289 >> expires: Tue, 21 Sep 2010 08:57:44 GMT >> x-squid-error: ERR_CACHE_ACCESS_DENIED 0 >> x-cache: MISS from cache.gondor.fors >> x-cache-lookup: NONE from cache.gondor.fors:3128 >> via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) >> proxy-connection: close > > This is weird. Squid responds as if the client had absolutely no proxy > authentication header sent. I.e., it doesn't even respond with the > challenge to the NTLM auth header although it lists NTLM as > authentication scheme. Are you certain that NTLM is set up properly? If > you are, can you check the squid log files to see if they say anything > "interesting" (i.e., perhaps there's something wrong about the request > but I don't see what that would be. > > Cheers, > - Andreas > > |
Re: WebClient with proxy NTLM authentication
|
|
Hello, Andreas.
New versions not work for me too. Send you logs (WebClientSSP new ) debugLog: Transcript; proxyUser: 'GONDOR\mmuhin'; proxyPass: '111'; httpGet: 'http://www.google.com/' . GET http://www.google.com/ HTTP/1.1 User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) Host: www.google.com Proxy-Connection: keep-alive HTTP/1.0 407 Proxy Authentication Required server: squid/2.6.STABLE21 date: Fri, 24 Sep 2010 11:53:32 GMT content-type: text/html content-length: 1289 expires: Fri, 24 Sep 2010 11:53:32 GMT x-squid-error: ERR_CACHE_ACCESS_DENIED 0 proxy-authenticate: NTLM x-cache: MISS from cache.gondor.fors x-cache-lookup: NONE from cache.gondor.fors:3128 via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) proxy-connection: close GET http://www.google.com/ HTTP/1.1 User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) Host: www.google.com Proxy-Connection: keep-alive Proxy-Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== HTTP/1.0 407 Proxy Authentication Required server: squid/2.6.STABLE21 date: Fri, 24 Sep 2010 11:53:32 GMT content-type: text/html content-length: 1289 expires: Fri, 24 Sep 2010 11:53:32 GMT x-squid-error: ERR_CACHE_ACCESS_DENIED 0 proxy-authenticate: NTLM TlRMTVNTUAACAAAADAAMADAAAAAFgomicUzumBUHieUAAAAAAAAAAGIAYgA8AAAARwBPAE4ARABPAFIAAgAMAEcATwBOAEQATwBSAAEACgBDAEEAQwBIAEUABAAWAGcAbwBuAGQAbwByAC4AZgBvAHIAcwADACIAYwBhAGMAaABlAC4AZwBvAG4AZABvAHIALgBmAG8AcgBzAAAAAAA= x-cache: MISS from cache.gondor.fors x-cache-lookup: NONE from cache.gondor.fors:3128 via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) proxy-connection: keep-alive GET http://www.google.com/ HTTP/1.1 User-Agent: WebClient/1.4 (; Squeak4.1-9957; Win32) Host: www.google.com Proxy-Connection: keep-alive Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGoAAAAYABgAggAAAAwADABIAAAADAAMAFQAAAAKAAoAYAAAAAAAAACaAAAABYKIogUBKAoAAAAPRwBPAE4ARABPAFIAbQBtAHUAaABpAG4ATQBVAEgASQBOAOiy90rHw+exAAAAAAAAAAAAAAAAAAAAAHi//hvGv5UhEv6kKpIziFD4YaIrdLL6IA== HTTP/1.0 407 Proxy Authentication Required server: squid/2.6.STABLE21 date: Fri, 24 Sep 2010 11:53:32 GMT content-type: text/html content-length: 1289 expires: Fri, 24 Sep 2010 11:53:32 GMT x-squid-error: ERR_CACHE_ACCESS_DENIED 0 proxy-authenticate: NTLM x-cache: MISS from cache.gondor.fors x-cache-lookup: NONE from cache.gondor.fors:3128 via: 1.0 cache.gondor.fors:3128 (squid/2.6.STABLE21) proxy-connection: close Empty token (invalid credentials) Now I cant get logs from proxy server Best regards, Denis 24 сентября 2010 г. 5:58 пользователь Andreas Raab <[hidden email]> написал: Hi Denis - |
«
Return to Squeak - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |