[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NTLM Authentication Project
Hi Scott,
I wonder if you ever spent a minute about NTLM authentication. Are you open
for adding NTLM authentication to HTTPAPI?
So far it seems to work for GET operations. I tried it with http_url_get()
and with http_persist_open(), http_persist_get() and http_persist_close().
I do not have a chance to test it with the POST operations because I do not
yet have a web service on my IIS. I have to figure out to get that up and
running. Using a POST operation for a static html page fails with an error
message saying something like "post not allowed".
On one side having NTLM authentication was a good enhancement to HTTP API
but on the other side I do not know whether or not we would open Pandora's
Box with it.
Here is the list of changes. Feel free to take a look at it and please let
me know what you think about it. Of course you can also get the source
code. But I did not want to bother you with it unless you consider to look
at it.
Basically I used the source code of the JCIFS project to write "my" NTLM
implementation. So far I implemented the LM compatibility levels 0-5 but
without the signing option.
Special thanks to Loek Maartens who pointed me to the right direction.
Thomas.
Changes to HTTP API 1.25beta2:
QRPGLESRC:
----------
HTTPAPI_H
1) Added parameter 'peNtlm' to 'http_getauth'.
2) Added parameter 'peDomain' to 'http_setauth'.
3) Added prototype for procedure 'http_persist_negotiate_ntlm'.
4) Added error code 'HTTP_NEGNTLM' which is sent by procdedure
'http_persist_negotiate_ntlm'.
5) Added authentication type 'HTTP_AUTH_NTLM'.
HTTPAPIR4
1) Added prototype NTLM_H to include the NTLM service program
procedures.
2) Added parameter 'peResetAuth' to 'interpret_auth', because
'interpret_auth' is being called twice for NTLM authentication.
3) Added procedure 'nullWrite' that is used when sending
the NEGOTIATE (Type-1) message to the server.
4) Added constants 'NTLM_NONE', 'NTLM_NEGOTIATE', 'NTLM_AUTHENTICATE'
and 'NTLM_CONNECTED' to keep track of the NTLM authentication
status.
5) Added 'dsAuthNtlm', 'dsAuthNtlmStatus', 'dsAuthMsgNtlm' and
'dsAuthDomain' to data structure 'dsAuth' to store additional
NTLM authentication values.
6) Setting 'wwReqChain' for NTLM authentication in procedure
'do_oper'.
7) Changing return code of parse_resp_chain() back to '-1' in
procedure 'do_oper' after having received a 401 error for
POST/PUT data.
8) Changing return code of parse_resp_chain() back to '-1' in
procedure 'do_oper' after having received a 401 error when the
program is not in NTLM authentication status.
9) Added optional parameter 'peNtlm' to procedure 'http_getauth'.
10) Added optional parameter 'peDomain' to procedure 'http_setauth'.
11) Alowed authentication type 'HTTP_AUTH_NTLM' for procedure 'http_setauth'.
12) Setting NTLM specific values in procedure 'http_setauth'.
13) Added public procedure 'http_persist_negotiate_ntlm'.
14) Fixed 'interpret_auth' to properly retrieve the "WWW-Authenticate"
values. Procedure did not work for values that are not enclosed
in quotes. Header "WWW-Authenticate" appears twice in 401 response
messages:
WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: NTLM\r\n
15) Added call to 'http_persist_negotiate_ntlm' after having executed
'http_persist_open' to 'http_url_get_raw' and 'http_url_post_raw'.
16) Changed 'parse_resp_chain' to parse multiple occurrences of
'WWW-Authenticate' headers.
17) Changed 'parse_resp_chain' to return a '401' error code when using
NTLM authentication.
18) Changed 'proxy_tunnel' to return '-1' when receiving a '401' from
'parse_resp_chain'.
ENCRYPTR4 (RPGLE)
1) New module providing data encryption and digest services.
(Uses MD4C for MD4 digest. Provides RC4, MD4, DES, MD5Digest
and MD5Hmac services.)
NTLMR4 (RPGLE)
1) New module providing NTLM authentication services.
MD4C (C)
1) New module. C implementation of the MD4 digest service of
RSA Data Security, Inc.
QSRVSRC:
--------
HTTPAPI1
1) Added procedure export 'http_persist_negotiate_ntlm'.
HTTPAPI2
1) Added procedure export 'http_persist_negotiate_ntlm'.
QCLSRC:
-------
INSTALL
1) Changed to create the new modules.
2) Changed to add the new modules to binding directory QTEMP/HTTPAPIR4.
Am 22.04.2012 14:22, schrieb Thomas Raddatz:
> Hi,
>
> Is there somebody who has experiences in using the NTLM authentication
> mechanism? I am trying to add NTLM authentication to HTTP API with less
> success so far.
>
> Although all my RPGUnit test cases show "green" for all the various
> procedures for calculating this and that, I cannot successfully connect to
> the IIS server on my local desktop PC. I always get a 401 "Access Denied"
> error message.
>
> I must be doing something wrong. Most likely it is something obviously that
> I do not see. One thing I have in mind is the "keep-alive" header. When I
> connect from my PC to the IIS on a virtual machine, I can see that both
> (client and server) set the "keep-alive" header and that the
> NTLMSSP_NEGOTIATE and NTLMSSP_AUTH messages are send through the same port.
> As far as I understand HTTP API, HTTP API does not support the "keep-alive"
> header and hence my RPG program uses different ports to send these messages.
>
> I gladly provide more details or my test library to everyone how want to
> join me.
>
> Regards,
>
> Thomas.
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------