[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NTLM authentication
David,
Is your code calling http_url_get() first before calling http_getauth()?
The initial http_url_get, would return a results code = HTTP_NDAUTH,
which tells you that you need authentication...so then you call
http_getauth(), followed by http_setauth() and try the http_url_get
again.
See example 5.
HTH,
Charles
On Wed, Mar 16, 2011 at 5:42 AM, David Walker <david.2.walker@xxxxxxx> wrote:
> Thanks again Charles
>
> The site I am attempting to access is 'https://team.gsk.com/'
> When I access this from Firefox the 'Authentication Required' window appears. Access to the site is granted once I enter my Network credentials.
>
> However in my RPGLE program the http_getauth returns the contradictory message detailed below.
> (Basic =0, digest =0, realm = blank)
>
> HTTPAPI Ver 1.23 released 2008-04-24
> OS/400 Ver V6R1M0
>
> http_getauth(): entered
> SetError() #39: Server did not ask for authentication!
>
> Grateful for any assistance
>
> R
>
> DW
>
>
> ----Original Message-----
> From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Charles Wilt
> Sent: 15 March 2011 12:26
> To: HTTPAPI and FTPAPI Projects
> Subject: Re: NTLM authentication
>
> David,
>
> Use http_getauth() to determine if basic and.or MD5 digest is allowed...
> *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> * http_getauth(): Get HTTP Authentication Information
> *
> * Call this proc after you receive a HTTP_NDAUTH error
> * to determine the authentication credentials that are required
> *
> * The following parms are returned to your program:
> *
> * peBasic = *ON if BASIC auth is allowed
> * peDigest = *ON if MD5 DIGEST auth is allowed
> * peRealm = Auth realm. Present this to the user to identify
> * which password you're looking for. For example
> * if peRealm is "secureserver.com" you might say
> * "enter password for secureserver.com" to user.
> *
> * After getting the userid & password from the user (or database)
> * you'll need to call http_setauth()
> *
> * Returns -1 upon error, or 0 if successful
> *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> D http_getauth PR 10I 0
> D peBasic 1N
> D peDigest 1N
> D peRealm 124A
>
> if either peBasic or peDigest are returned as *ON, then you can use
> http_setauth():
>
> *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> * http_setauth(): Set HTTP Authentication Information
> *
> * peAuthType = Authentication Type (HTTP_AUTH_BASIC or
> * HTTP_AUTH_MD5_DIGEST)
> * peUsername = UserName to use
> * pePasswd = Password to use
> *
> * Returns -1 upon error, or 0 if successful
> *+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> D http_setauth PR 10I 0
> D peAuthType 1A const
> D peUsername 80A const
> D pePasswd 1024A const
>
> Just pass in the appropriate peAuthType (as determined by the call to
> http_getauth()) and a valid user name and password.
>
> Charles
>
>
> On Tue, Mar 15, 2011 at 2:37 AM, David Walker <david.2.walker@xxxxxxx> wrote:
>> Charles
>>
>> Thanks for the speedy response.
>> The error message I am trying to eliminate is:
>>
>> SetError() #13: HTTP/1.1 401 Unauthorized
>> recvdoc parms: identity 1656
>> interpret_auth(): entered
>> SetError() #36: This page requires a user-id & password
>> http_close(): entered
>>
>> The recommendation I unearthed from Google was to use http_SETAUTH but this does not support NTLM authentication. If I understand your response the userid and password should be provided in a different manner. Is that the case and if so can you please provide the source of a working example?
>>
>> Many thanks
>>
>> Regards
>>
>> David Walker
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Charles Wilt
>> Sent: 14 March 2011 16:05
>> To: HTTPAPI and FTPAPI Projects
>> Subject: Re: NTLM authentication
>>
>> I don't believe so....nor do I even understand why it'd be needed....
>>
>> Looking at NTLM authentication from a browser's perspective, NTLM is
>> useful to allow the browser to automatically pass along the the signed
>> in user's credentials. But it's not required, you can manually enter
>> your user ID and password for the web site. The fact that it's
>> authenticated back to a Windows Active Directory doesn't matter to the
>> browser.
>>
>> I'd expect the same to apply to HTTPAPI, as long as you pass a valid
>> user name and password to the web server, it should work. Unless
>> there's some way to configure the web server to only support IE...
>>
>> If you can access a web site with Firefox (assuming you're using the
>> default of no NTLM integration) or Chrome (which doesn't have NTLM
>> integration AFAIK) then you should be able to access the site with
>> HTTPAPI.
>>
>> I suppose, if instead of using a generic user ID and password, you
>> wanted to invoke the web call under the running user's credentials,
>> you'd need something more; But I don't see NTLM being possible
>> without underlying support from the OS. Which probably isn't going to
>> happen. An alternative might be RFC 4178 defines a Simple and
>> Protected Generic Security Service Application Program Interface
>> Negotiation Mechanism (SPNEGO).
>>
>> Other thoughts...
>> http://workshop.openafs.org/afsbpw06/talks/wes-kerberos-on-web.pdf
>>
>> HTH,
>> Charles
>>
>> On Mon, Mar 14, 2011 at 6:30 AM, David Walker <david.2.walker@xxxxxxx> wrote:
>>>
>>> * From: "Donald Leong" <[1]DLeong@xxxxxxxxxxxxxxxxxx>
>>> * To: "HTTPAPI and FTPAPI Projects"
>>> <[2]ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
>>> * Subject: RE: www-Authenticate?
>>> * Date: Fri, 15 Aug 2008 08:39:14 -0700
>>> *
>>>
>>> · HTTPAPI only supports the two authentication schemes defined
>>> in RFC
>>>
>>> · 2617, which are called "Basic" and "Digest" authentication.
>>>
>>> ·
>>>
>>> · NTLM stands for NT LAN Manager. (NT = Windows NT. LAN
>>> Manager is an
>>>
>>> · old name for "Windows Networking"). It's a proprietary
>>> authentication
>>>
>>> · mechanism from Microsoft for Windows Networking. There are
>>> a few weird
>>>
>>> · situations where it has been used in web applications as
>>> well, but this
>>>
>>> · is rather unusual. Unfortunately, you appear to be in one
>>> of those
>>>
>>> · situations!
>>>
>>> ·
>>>
>>> · Anyway, HTTPAPI doesn't support it at this point, and I
>>> personally have
>>>
>>> · no plans to add it. You may be able to add it yourself --
>>> if you do,
>>>
>>> · we'd welcome you to contribute your code back to the
>>> project.
>>>
>>> ·
>>>
>>>
>>> With reference to above, my question is whether the NTLM
>>> authentication remains unsupported by HTTPAPI as of 14/03/2011
>>>
>>>
>>> Regards
>>>
>>>
>>> David Walker
>>>
>>> GSK Brentford
>>> _________________________________________________________________
>>>
>>> This e-mail was sent by GlaxoSmithKline Services Unlimited
>>> (registered in England and Wales No. 1047315), which is a
>>> member of the GlaxoSmithKline group of companies. The
>>> registered address of GlaxoSmithKline Services Unlimited
>>> is 980 Great West Road, Brentford, Middlesex TW8 9GS.
>>>
>>> References
>>>
>>> 1. mailto:DLeong@xxxxxxxxxxxxx
>>> 2. mailto:ftpapi@xxxxxxxxxxxxx
>>>
>>> -----------------------------------------------------------------------
>>> This is the FTPAPI mailing list. To unsubscribe, please go to:
>>> http://www.scottklement.com/mailman/listinfo/ftpapi
>>> -----------------------------------------------------------------------
>>>
>>>
>> -----------------------------------------------------------------------
>> This is the FTPAPI mailing list. To unsubscribe, please go to:
>> http://www.scottklement.com/mailman/listinfo/ftpapi
>> -----------------------------------------------------------------------
>>
>>
>> This e-mail was sent by GlaxoSmithKline Services Unlimited
>> (registered in England and Wales No. 1047315), which is a
>> member of the GlaxoSmithKline group of companies. The
>> registered address of GlaxoSmithKline Services Unlimited
>> is 980 Great West Road, Brentford, Middlesex TW8 9GS.
>>
>> -----------------------------------------------------------------------
>> This is the FTPAPI mailing list. To unsubscribe, please go to:
>> http://www.scottklement.com/mailman/listinfo/ftpapi
>> -----------------------------------------------------------------------
>>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
>
> This e-mail was sent by GlaxoSmithKline Services Unlimited
> (registered in England and Wales No. 1047315), which is a
> member of the GlaxoSmithKline group of companies. The
> registered address of GlaxoSmithKline Services Unlimited
> is 980 Great West Road, Brentford, Middlesex TW8 9GS.
>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------