Hi Steve,
sorry I am replying to a digest, I hope the email get threaded correctly.
Your explanation of the problem fits nicely with what I experienced.
I am going to ask to the sysadmin of the customer to remove/reorder the
proxy authentication protocols.
However it is unlikely to happen.
I quite do not get your second suggestion: I am currently using
PROXY-ANYAUTH because the software goes to different customers and I
cannot guess the right order of proxy for each customer.
- Is there a way to tell Libcurl which is the order of the
authentication to use?
- Or maybe to test all the authentication before failing? Testing all of:
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Thanks,
Matteo
Il 30/03/2012 12:00, [email protected] ha scritto:
Message: 3
Date: Fri, 30 Mar 2012 09:51:49 +0100
From: Steve Holme<[email protected]>
To: "'libcurl development'"<[email protected]>
Subject: RE: Failure with --proxy-anyauth on NTLM
Message-ID:<[email protected]>
Content-Type: text/plain; charset="us-ascii"
Hi Matteo,
These are the results of the tests (I have no access to the
ISA-server-Proxy).
1. curl.exe --proxy-ntlm --proxy 192.168.0.110:3128 --proxy-user
user:pass www.google.com It works fine if --proxy-ntlm
<http://curl.haxx.se/docs/manpage.html#--proxy-ntlm> is
specified.
2. curl.exe --proxy-anyauth --proxy 192.168.0.110:3128 --proxy-user
user:pass www.google.com It fails.
3. curl.exe --proxy-anyauth --proxy-negotiate --proxy
192.168.0.110:3128 --proxy-user user:pass www.google.com It
fails.
I'm not too familiar with proxy servers from a curl prospective so someone
else might be able to answer your query better than me, but I do know how
the SMTP authentication works in curl so I have just delved into the
http_proxy stuff out of curiosity and some of the following may be useful to
you...
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires
authorization to fulfill the request. Access to the Web P roxy filter is
denied. )
Via: 1.1 NAS
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
I believe this is where the problem lies...
The server has told curl that it supports GSS Negotiate, Kerberos and NTLM
in that order so curl with CURLAUTH_ANY set has tried to authenticate with
GSS first as that was first in the list. This is then failing because, and
I'm guessing here, your customer has a problem authenticating with GSS - as
indicated by test #3 also failing.
I would try and get the customer to fix up GSS - If they don't want to
support GSS can they turn it off so that the server only advertises NTLM for
example?
If they can't turn it off in ISA Server or don't want to, does your
application have a configuration file (or registry setting if it is Windows
based) where you could specify the preferred authentication mechanism as
NTLM?
I hope this helps a little
Kind Regards
Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
