Hello list,

I've just ran into a small bug in NTLM authentication from HttpCli.
There is a possibility that the user enters the username as 
In this case HttpCli will send the username and the domain as the 
username, wich is not working (at least on IIS 6).
The code looks like this:
        Result := NtlmGetMessage3('', Hostname, FUsername, FPassword, 
where NtlmGetMessage3 is defined as:
        function NtlmGetMessage3(const ADomain, AHost, AUser, APassword: 
String; AChallenge: TArrayOf8Bytes): String;
This function will generate the last NTLM message containing the 
authentication information.
The call, as you can see set the domain to empty string in all cases but 
if the user supplies the usernames in the manner I've mentioned before 
this is not correct.

A fast dirty fix which I made is:
        DomPos := Pos('\', FUsername);
        if DomPos<>0 then
            Dom   := Copy(FUsername, 1, DomPos-1);
            UName := Copy(FUsername, DomPos + 1, Length(FUsername)-DomPos);
            Dom   := '';
            UName := FUsername;

Result := NtlmGetMessage3(Dom, Hostname, UName, FPassword, 

I did this in the HTTP authentication part not in the proxy.
Can somebody confirm that in case of NTLM proxies, should work the same way?

Best regards,
Tibor Csonka
To unsubscribe or change your settings for TWSocket mailing list
please goto http://www.elists.org/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to