Yes I realized that after sending the message. Then I sent the below message, have you received it?:
Let me report more clearly: In the working/direct logs, we have http://owa.bse-electronic.com/exchange GET /exchange HTTP/1.1 Host: owa.bse-electronic.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive // LOOK! HTTP/1.x 401 Accès refusé Server: Microsoft-IIS/5.0 Date: Thu, 13 Mar 2008 15:23:44 GMT WWW-Authenticate: Negotiate WWW-Authenticate: NTLM WWW-Authenticate: Basic realm="owa.bse-electronic.com" Connection: close //LOOK! Content-Length: 21 Content-Type: text/html ---------------------------------------------------------- http://owa.bse-electronic.com/exchange GET /exchange HTTP/1.1 Host: owa.bse-electronic.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive //LOOK! Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= HTTP/1.x 401 Accès refusé Server: Microsoft-IIS/5.0 Date: Thu, 13 Mar 2008 15:24:11 GMT WWW-Authenticate: NTLM TlRMTVNTUAACAAAAEAAQADgAAAAFgokCea/nLdPsCJkAAAAAAAAAAGoAagBIAAAABQCTCAAAAA9CAFMARQBfAEUATABFAEMAAgAQAEIAUwBFAF8ARQBMAEUAQwABABIAQgBTAEUAUwBWAE0AWAAwADEABAAQAGIAcwBlAC4AcAByAGkAdgADACQAYgBzAGUAcwB2AG0AeAAwADEALgBiAHMAZQAuAHAAcgBpAHYAAAAAAA== Content-Length: 21 Content-Type: text/html //LOOK! No connection header here--IQRP must have added it automatically depending on request header preference of ka ---------------------------------------------------------- http://owa.bse-electronic.com/exchange GET /exchange HTTP/1.1 Host: owa.bse-electronic.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9 ,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGwAAAAYABgAhAAAABAAEABAAAAAEAAQAFAAAAAMAAwAYAAAAAAAAAAAAAAABYIIAGIAcwBlAF8AZQBsAGUAYwBiAGUAcgB0AGgAaQBlAHIARgBTAFQALQBQAEMAdRwORof1/CcAAAAAAAAAAAAAAAAAAAAAttAjYSSpH3rb0l65d4MCP7MW4jcVWTJD HTTP/1.x 302 Object Moved Location: http://owa.bse-electronic.com/exchange/ Server: Microsoft-IIS/5.0 Content-Type: text/html Content-Length: 166 //LOOK! No connection header here--IQRP must have added it automatically depending on request header preference of ka Now the question is: IF the request has connection: ka and the response has no connection: header line, should ICS assume it as ka or close? This may be a stupid IIS behavior but I am having difficulty explaining this to customers--they don't care. On 3/15/08, Arno Garrels <[EMAIL PROTECTED]> wrote: > > Fastream Technologies wrote: > > In the direct connection logs, if you look at the first request that > > returns 401, its response has connection: close, > > That's totally ok since at that time the auth-type is not yet negotiated. > However when the NTLM message type 1 is sent from the client to the server > Keep-Alive must be ON. > > -- > Arno Garrels > > > rather strange it > > worked that way. Anyway, I think this link I posted is the closest I > > have as a clue... > > > > On 3/15/08, Arno Garrels <[EMAIL PROTECTED]> wrote: > >> > >>> I asked the customer to enable > >>> keep-alive and hope that it will work without any modification. > >> > >> Sure, NTLM auth requires Keep-Alive. However, in your log Keep-Alive > >> is already used correctly, so what will that change? > >> > >> -- > >> Arno Garrels > >> > >> Fastream Technologies wrote: > >>> Hi Guys, > >>> > >>> I found this on my research: > >>> https://issues.apache.org/bugzilla/show_bug.cgi?id=39673 > >>> > >>> Seems that NTLM is crap since it assumes statefulness on a stateless > >>> protocol (HTTP). Shame on M$. I asked the customer to enable > >>> keep-alive and hope that it will work without any modification. FYI. > >>> > >>> Best Regards, > >>> > >>> SZ > >>> > >>> On 3/15/08, Fastream Technologies <[EMAIL PROTECTED]> wrote: > >>>> > >>>> Yes you are probably right--but the code is so simple and I checked > >>>> the header sent with socketspy and it is the same size (208 bytes > >>>> after "Authorization: NTLM ") in both direct and non-direct! As I > >>>> said it is just a tunnel. Is there a way to decrypt the header with > >>>> some ready tool? I do not want to waste time with complex ntlm code > >>>> with as you suggested. But will look into structures now.... > >>>> > >>>> Regards, > >>>> > >>>> SZ > >>>> > >>>> > >>>> On 3/15/08, Arno Garrels <[EMAIL PROTECTED]> wrote: > >>>>> > >>>>> Fastream Technologies wrote: > >>>>>> When I trace the code, it seems that your web server side NTLM > >>>>>> code is not called at all. > >>>>> > >>>>> So, that is your implementation! If you do not call my code it > >>>>> can hardly be the reason for the problem. > >>>>> > >>>>>> It just tunnels the www-authenticate headers > >>>>>> to/from the web server. > >>>>> > >>>>> It's your application that is tunneling. > >>>>> > >>>>>> Can you suggest me some URLs so that I can > >>>>>> read and understand what the eath is wrong with NTLM handshake? > >>>>> > >>>>> http://davenport.sourceforge.net/ntlm.html > >>>>> > >>>>>> You > >>>>>> told me all is well in one of your first mails. However, there > >>>>>> must be something wrong. For example, is the domain info > >>>>>> embedded in the hashed ntlm handshake? > >>>>> > >>>>> If you ever want to know exactly what is included in the NTLM > >>>>> messages you need to write a parser, basic info from NTLM message > >>>>> type 2 can be viewed with a function from Francois' unit > >>>>> OverbyteIcsNtlmMsgs.pas, it also includes the structures and shows > >>>>> how to parse NTLM messages. > >>>>> > >>>>> -- > >>>>> Arno Garrels > >>>>> > >>>>> > >>>>> -- > >>>>> To unsubscribe or change your settings for TWSocket mailing list > >>>>> please goto > >>>>> http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit > >>>>> our website at http://www.overbyte.be > >> -- > >> To unsubscribe or change your settings for TWSocket mailing list > >> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > >> Visit our website at http://www.overbyte.be > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
