[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NTLM authentication

From: David Walker <david.2.walker@xxxxxxx>
To: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: NTLM authentication
Date: Wed, 16 Mar 2011 10:42:41 +0100
Thanks again Charles

The site I am attempting to access is 'https://team.gsk.com/'
When I access this from Firefox the 'Authentication Required' window appears. Access to the site is granted once I enter my Network credentials.

However in my RPGLE program the http_getauth returns the contradictory message detailed below.
(Basic =0, digest =0, realm = blank)

HTTPAPI Ver 1.23 released 2008-04-24
OS/400 Ver V6R1M0

http_getauth(): entered
SetError() #39: Server did not ask for authentication!

Grateful for any assistance

R

DW


----Original Message-----
From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Charles Wilt
Sent: 15 March 2011 12:26
To: HTTPAPI and FTPAPI Projects
Subject: Re: NTLM authentication

David,

Use http_getauth() to determine if basic and.or MD5 digest is allowed...
      *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      *  http_getauth():   Get HTTP Authentication Information
      *
      *   Call this proc after you receive a HTTP_NDAUTH error
      *   to determine the authentication credentials that are required
      *
      *  The following parms are returned to your program:
      *
      *     peBasic = *ON if BASIC auth is allowed
      *    peDigest = *ON if MD5 DIGEST auth is allowed
      *     peRealm = Auth realm.  Present this to the user to identify
      *               which password you're looking for.  For example
      *               if peRealm is "secureserver.com" you might say
      *               "enter password for secureserver.com" to user.
      *
      *   After getting the userid & password from the user (or database)
      *   you'll need to call http_setauth()
      *
      *  Returns -1 upon error, or 0 if successful
      *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     D http_getauth    PR            10I 0
     D   peBasic                      1N
     D   peDigest                     1N
     D   peRealm                    124A

if either peBasic or peDigest are returned as *ON, then you can use
http_setauth():

      *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      *  http_setauth():   Set HTTP Authentication Information
      *
      *     peAuthType = Authentication Type (HTTP_AUTH_BASIC or
      *                     HTTP_AUTH_MD5_DIGEST)
      *     peUsername = UserName to use
      *     pePasswd   = Password to use
      *
      *  Returns -1 upon error, or 0 if successful
      *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
     D http_setauth    PR            10I 0
     D   peAuthType                   1A   const
     D   peUsername                  80A   const
     D   pePasswd                  1024A   const

Just pass in the appropriate peAuthType (as determined by the call to
http_getauth()) and a valid user name and password.

Charles


On Tue, Mar 15, 2011 at 2:37 AM, David Walker <david.2.walker@xxxxxxx> wrote:
> Charles
>
> Thanks for the speedy response.
> The error message I am trying to eliminate is:
>
> SetError() #13: HTTP/1.1 401 Unauthorized
> recvdoc parms: identity 1656
> interpret_auth(): entered
> SetError() #36: This page requires a user-id & password
> http_close(): entered
>
> The recommendation I unearthed from Google was to use http_SETAUTH but this does not support NTLM authentication. If I understand your response the userid and password should be provided in a different manner. Is that the case and if so can you please provide the source of a working example?
>
> Many thanks
>
> Regards
>
> David Walker
>
>
>
>
>
>
> -----Original Message-----
> From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Charles Wilt
> Sent: 14 March 2011 16:05
> To: HTTPAPI and FTPAPI Projects
> Subject: Re: NTLM authentication
>
> I don't believe so....nor do I even understand why it'd be needed....
>
> Looking at NTLM authentication from a browser's perspective, NTLM is
> useful to allow the browser to automatically pass along the the signed
> in user's credentials.  But it's not required, you can manually enter
> your user ID and password for the web site.  The fact that it's
> authenticated back to a Windows Active Directory doesn't matter to the
> browser.
>
> I'd expect the same to apply to HTTPAPI, as long as you pass a valid
> user name and password to the web server, it should work.  Unless
> there's some way to configure the web server to only support IE...
>
> If you can access a web site with Firefox (assuming you're using the
> default of no NTLM integration) or Chrome (which doesn't have NTLM
> integration AFAIK) then you should be able to access the site with
> HTTPAPI.
>
> I suppose, if instead of using a generic user ID and password, you
> wanted to invoke the web call under the running user's credentials,
> you'd need something more;  But I don't see NTLM being possible
> without underlying support from the OS.  Which probably isn't going to
> happen.  An alternative might be RFC 4178  defines a Simple and
> Protected Generic Security Service Application Program Interface
> Negotiation Mechanism (SPNEGO).
>
> Other thoughts...
> http://workshop.openafs.org/afsbpw06/talks/wes-kerberos-on-web.pdf
>
> HTH,
> Charles
>
> On Mon, Mar 14, 2011 at 6:30 AM, David Walker <david.2.walker@xxxxxxx> wrote:
>>
>>     * From: "Donald Leong" <[1]DLeong@xxxxxxxxxxxxxxxxxx>
>>     * To: "HTTPAPI and FTPAPI Projects"
>>       <[2]ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>     * Subject: RE: www-Authenticate?
>>     * Date: Fri, 15 Aug 2008 08:39:14 -0700
>>     *
>>
>>   ·         HTTPAPI only supports the two authentication schemes defined
>>   in RFC
>>
>>   ·         2617, which are called "Basic" and "Digest" authentication.
>>
>>   ·
>>
>>   ·         NTLM stands for NT LAN Manager.  (NT = Windows NT.  LAN
>>   Manager is an
>>
>>   ·         old name for "Windows Networking").   It's a proprietary
>>   authentication
>>
>>   ·         mechanism from Microsoft for Windows Networking.  There are
>>   a few weird
>>
>>   ·         situations where it has been used in web applications as
>>   well, but this
>>
>>   ·         is rather unusual.  Unfortunately, you appear to be in one
>>   of those
>>
>>   ·         situations!
>>
>>   ·
>>
>>   ·         Anyway, HTTPAPI doesn't support it at this point, and I
>>   personally have
>>
>>   ·         no plans to add it.  You may be able to add it yourself --
>>   if you do,
>>
>>   ·         we'd welcome you to contribute your code back to the
>>   project.
>>
>>   ·
>>
>>
>>   With reference to above, my question is whether the NTLM
>>   authentication remains unsupported by HTTPAPI as of 14/03/2011
>>
>>
>>   Regards
>>
>>
>>   David Walker
>>
>>   GSK Brentford
>>     _________________________________________________________________
>>
>>   This e-mail was sent by GlaxoSmithKline Services Unlimited
>>   (registered in England and Wales No. 1047315), which is a
>>   member of the GlaxoSmithKline group of companies. The
>>   registered address of GlaxoSmithKline Services Unlimited
>>   is 980 Great West Road, Brentford, Middlesex TW8 9GS.
>>
>> References
>>
>>   1. mailto:DLeong@xxxxxxxxxxxxx
>>   2. mailto:ftpapi@xxxxxxxxxxxxx
>>
>> -----------------------------------------------------------------------
>> This is the FTPAPI mailing list.  To unsubscribe, please go to:
>> http://www.scottklement.com/mailman/listinfo/ftpapi
>> -----------------------------------------------------------------------
>>
>>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
>
> This e-mail was sent by GlaxoSmithKline Services Unlimited
> (registered in England and Wales No. 1047315), which is a
> member of the GlaxoSmithKline group of companies. The
> registered address of GlaxoSmithKline Services Unlimited
> is 980 Great West Road, Brentford, Middlesex TW8 9GS.
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------


This e-mail was sent by GlaxoSmithKline Services Unlimited
(registered in England and Wales No. 1047315), which is a
member of the GlaxoSmithKline group of companies. The
registered address of GlaxoSmithKline Services Unlimited
is 980 Great West Road, Brentford, Middlesex TW8 9GS.

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
Follow-Ups:
- Re: NTLM authentication
  - From: Charles Wilt
References:
- NTLM authentication
  - From: David Walker
- Re: NTLM authentication
  - From: Charles Wilt
- RE: NTLM authentication
  - From: David Walker
- Re: NTLM authentication
  - From: Charles Wilt
Prev by Date: Re: FTPAPI and error :501 IP Address for data destination doesn'tmatch client's.
Next by Date: Re: NTLM authentication
Previous by thread: Re: NTLM authentication
Next by thread: Re: NTLM authentication
Index(es):
- Date
- Thread