LibCurl with NTLM and Kerberos authentication

Discussion:

Steven Garno

2015-09-02 22:42:35 UTC

Support,

We seem to be experiencing some difficulties in getting libcurl to work with NTLM and Kerberos authentication on a windows platform. Any help would be greatly appreciated.

Here is the problem:

We have a site configured to use NTLM Negotiate authentication mechanism (also tried Kerberos instead of NTLM). When I call the URL in the browser while monitoring the traffic in Fiddler, the negotiate authentication works as expected: first two requests return 401 and the third one returns 200.

[cid:***@01D0E59E.4E613010]

However, when I try to make the same call using cURL, the negotiation never happens, only one request is made and 401 status is returned:

[cid:***@01D0E59E.4E613010]

I tried a setting this optionin cURL before making the call:
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE)

Also, tried setting it this way:
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE | CURLAUTH_NTLM)

And this way:
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY)

The result is always the same - one request returning 401. The second (and sometimes third) negotiations never seem to happen. What are we doing/not doing correctly?

Joel DePooter

2015-09-02 23:04:18 UTC

Permalink

You likely need to set the username and password option to ":" in
order to make this work. For example:

static const char* empty_user_password = ":";
curl_easy_setopt( easy_handle, CURLOPT_USERPWD , empty_user_password );

-Joel
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiqu

Isaac Boukris

2015-09-03 11:12:06 UTC

Permalink

Post by Joel DePooter
You likely need to set the username and password option to ":" in
static const char* empty_user_password = ":";
curl_easy_setopt( easy_handle, CURLOPT_USERPWD , empty_user_password );

Michael König

2015-09-03 09:58:36 UTC

Permalink

Hi there!

Post by Steven Garno
Support,
We seem to be experiencing some difficulties in getting libcurl to work with
NTLM and Kerberos authentication on a windows platform. Any help would be
greatly appreciated.

http://curl.haxx.se/libcurl/c/debug.html

Apply the debug code to your source and see what chatty libcurl has to say
during the exchange. This helped me a number of times already.

Without it and with only the information you provided, everything below is
educated guesswork.

Post by Steven Garno
We have a site configured to use NTLM Negotiate authentication mechanism (also
tried Kerberos instead of NTLM). When I call the URL in the browser while
monitoring the traffic in Fiddler, the negotiate authentication works as
expected: first two requests return 401 and the third one returns 200.

How was your libcurl built? Did you enable SSPI? Or OpenSSL? If you did
neither libcurl would not have the ability to do NTLM or Kerberos, i think.

for example the name of my last build directory was something like this:
libcurl-vc9-x86-release-static-zlib-static-ssh2-static-ipv6-sspi-winssl-obj-lib

Post by Steven Garno
However, when I try to make the same call using cURL, the negotiation never
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE)
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE | CURLAUTH_NTLM)
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY)
The result is always the same - one request returning 401. The second (and
sometimes third) negotiations never seem to happen. What are we doing/not
doing correctly?

Assuming the webserver only accepts NEGO/NTLMv2 your libcurl might just
not be able to do what you are asking, if you missed the right options at
build time.

Greetings,
Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: h