Return-Path: Delivered-To: apmail-jakarta-httpclient-dev-archive@www.apache.org Received: (qmail 6492 invoked from network); 1 Feb 2005 03:05:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 1 Feb 2005 03:05:32 -0000 Received: (qmail 6759 invoked by uid 500); 1 Feb 2005 03:05:31 -0000 Delivered-To: apmail-jakarta-httpclient-dev-archive@jakarta.apache.org Received: (qmail 6739 invoked by uid 500); 1 Feb 2005 03:05:31 -0000 Mailing-List: contact httpclient-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "HttpClient Project" Reply-To: "HttpClient Project" Delivered-To: mailing list httpclient-dev@jakarta.apache.org Received: (qmail 6725 invoked by uid 99); 1 Feb 2005 03:05:31 -0000 X-ASF-Spam-Status: No, hits=1.8 required=10.0 tests=RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of bcronin@mit.edu designates 18.7.7.80 as permitted sender) Received: from BISCAYNE-ONE-STATION.MIT.EDU (HELO biscayne-one-station.mit.edu) (18.7.7.80) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 31 Jan 2005 19:05:29 -0800 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.12.4/8.9.2) with ESMTP id j1135Qar020634 for ; Mon, 31 Jan 2005 22:05:27 -0500 (EST) Received: from [192.168.1.100] (pool-68-160-135-17.bos.east.verizon.net [68.160.135.17]) (authenticated bits=0) (User authenticated as bcronin@ATHENA.MIT.EDU) by outgoing.mit.edu (8.12.4/8.12.4) with ESMTP id j1135O0Z024137 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Mon, 31 Jan 2005 22:05:24 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v619.2) In-Reply-To: References: <02FD9154-BDCF-4DD7-A641-42171484B6AB@intencha.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Beau Cronin Subject: Re: NTLM type 2 header issue Date: Mon, 31 Jan 2005 22:05:16 -0500 To: "HttpClient Project" X-Mailer: Apple Mail (2.619.2) X-Spam-Score: 3.676 X-Spam-Level: *** (3.676) X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N I've found the following in the davenport NTLM documentation, which seems to be the relevant situation here: --------- With Windows 2000, Microsoft introduced the "Negotiate" HTTP authentication mechanism. While primarily aimed at providing a means of authenticating the user against Active Directory via Kerberos, it is backward-compatible with the NTLM scheme. When the Negotiate mechanism is used in "legacy" mode, the headers passed between the client and server are identical, except "Negotiate" (rather than "NTLM") is indicated as the mechanism name. --------- This behavior breaks NTLMScheme.processChallenge(), which does a simple comparison between the the scheme name ("ntlm") and the header of the message ("negotiate"). It seems that this needs to be changed in order to correctly handle this case. It would be simple to hardcode this case (since, as the above excerpt states, all of the other message contents remains the same), and I can certainly do this and submit a patch. The question is whether this is a bad idea, or would break anything. Any input appreciated, Beau Cronin On Jan 30, 2005, at 9:01 PM, Beau Cronin wrote: >> On 31/01/2005, at 5:02 AM, Beau Cronin wrote: >>> As far as I can tell, all NTLM messages should have "NTLM" as the >>> header. Is anyone familiar with the source of this behavior? Is >>> this >>> within the NTLM "spec", or is there something weird going on here? >> >> As far as I know you're right. NTLM servers generally respond with: >> >> WWW-Authenticate: Negotiate >> WWW-Authenticate: NTLM >> >> (often there's a Kerberos in the middle) >> >> What is the server you're having trouble with? > > The server is just an internal IIS server we're using for testing for > this issue. I'm not sure exactly how it's configured, > unfortunately--but as far as I know, it's a vanilla configuration. > > I'm a little surprised by this "Negotiate" header, since the NTLM > reverse-engineering documents I've seen don't mention it. Is there > somewhere I can look which discusses it? > >> I would tend to think that it's reasonable to continue down the NTLM >> authentication path once we've started if we get a Negotiate header >> with no following NTLM header. I'd like to know more about what >> Negotiate means though as I suspect it is an authentication scheme in >> itself or at least a scheme for negotiating the scheme to use. I >> don't recall seeing the Negotiate scheme in any standards or >> documentation I've read though. > > I interpret this to mean you think this is a legitimate NTLM response > then? In that case, I suppose this requires a modification to the > http-client NTLMScheme code to appropriately handle it. Is that a > reasonable supposition? If so, maybe I can take a look at what's > involved. I'm rather new to this area, though, so I wanted to check > with the experts here before making any assumptions about where any > changes need to be made. > > Any further input greatly appreciated, > > Beau Cronin > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org