Steve, > Just out of interest have you tried a non-SSPI build?
In the meantime I generated a non-SSPI version of my application and one user tested it, again without success. > What return code do you get back from libcurl? The return code is always CURLE_OK, that is, no error. However, the HTTP response code keeps to be 407. > The reason I ask is, from the log at least, it looks like the decoding > of the NTLM type-2 message and creation of the NTLM type-3 message > fails. I would be very intrigued to know if that is the case or not. I see an additional informal message from libcurl, namely Text: NTLM handshake rejected Text: Authentication problem. Ignoring this. (Complete log below). > Basically the following happens: > > 1) Your Proxy Server is advertising that it support both NTLM and Basic > authentication. > 2) Libcurl chooses NTLM as it is more secure than Basic - unless you tell > libcurl differently. > 3) Libcurl will then send a Proxy-Authorization containing the chosen > mechanism and NTLM type-1 message which has been created by the Windows SSPI > functions and Base-64 encoded by libcurl > 4) The Proxy Server receives that, decodes it, processes it and responds with > another 407 containing a NTLM type-2 message if all is good. > 5) Libcurl receives the 407, decodes the Base-64 encoded message and passes > it to the SSPI functions to process and generate a NTLM type-3 message. > 6) Libcurl then encodes the type-3 and sends it to the server in another > request via the Proxy-Authorization header. > > My guess is something is going wrong in either step 5 or 6 as the type-3 is > not being sent. It seems that the Proxy-Authorization header is sent. However, the proxy server doesn't seem to accept it. Regards, Ulrich >>> New log begin <<< Text: Rebuilt URL to: http://xyz.com/ Text: Hostname was NOT found in DNS cache Text: Trying 11.22.33.44... Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0) Header out: GET http://xyz.com/ HTTP/1.1 Host: xyz.com Accept: */* Proxy-Connection: Keep-Alive Header in: HTTP/1.1 407 authenticationrequired Header in: Content-Type: text/html Header in: Cache-Control: no-cache Header in: Content-Length: 2634 Header in: Proxy-Connection: Keep-Alive Header in: Proxy-Authenticate: NTLM Header in: Proxy-Authenticate: Basic realm="WebAD" Text: Ignoring the response-body Data in: <!DOCTYPE html> ... </html> Text: Connection #0 to host 11.22.33.44 left intact Text: Issue another request to this URL: 'http://xyz.com/' Text: Found bundle for host xyz.com: 0x29c3748 Text: Re-using existing connection! (#0) with host 11.22.33.44 Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0) Text: Proxy auth using NTLM with user 'ABCDE' Header out: GET http://xyz.com/ HTTP/1.1 Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= Host: xyz.com Accept: */* Proxy-Connection: Keep-Alive Header in: HTTP/1.1 407 authenticationrequired Header in: Content-Type: text/html Header in: Cache-Control: no-cache Header in: Content-Length: 2634 Header in: Proxy-Connection: Keep-Alive Header in: Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAGgokAY/FHGP+4pKIAAAAAAAAAA AAAAAAAAAAA Text: Ignoring the response-body Data in: <!DOCTYPE html> ... </html> Text: Connection #0 to host 11.22.33.44 left intact Text: Issue another request to this URL: 'http://xyz.com/' Text: Found bundle for host xyz.com: 0x29c3748 Text: Re-using existing connection! (#0) with host 11.22.33.44 Text: Connected to 11.22.33.44 (11.22.33.44) port 9090 (#0) Text: Proxy auth using NTLM with user 'ABCDE' Header out: GET http://xyz.com/ HTTP/1.1 Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAABQ AFAHAAAAAGAAYAdQAAAAAAAAAAAAAABoKJACjrUgzovGvZAAAAAAA AAAAAAAAAAAAAAH8aPq9LDPKDglDlt4O+6kw69fgaLSTJNkxYSlFVU0cx NVlS Host: xyz.com Accept: */* Proxy-Connection: Keep-Alive Header in: HTTP/1.1 407 authenticationrequired Header in: Content-Type: text/html Header in: Cache-Control: no-cache Header in: Content-Length: 2639 Header in: Proxy-Connection: Keep-Alive Text: NTLM handshake rejected Text: Authentication problem. Ignoring this. Header in: Proxy-Authenticate: NTLM Header in: Proxy-Authenticate: Basic realm="WebAD" Data in: <!DOCTYPE html> ... </html> Text: Connection #0 to host 11.22.33.44 left intact - cURL Msg short: No error - cURL Msg detail: >>> New log end <<< -- E-Mail privat: [email protected] World Wide Web: http://www.telle-online.de ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
