Re: NTLM Authentication Project

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

Hi Thomas,

I have never worked with a server that uses NTLM authentication. I do 
not have access to a server that uses it that I could test it with.

In other forms of authorization, the HTTP server sends a 
www-authenticate header along with a 401 response code to notify the 
client that authentication is required, and to specify the types of 
authenication that can be used (Currently, HTTPAPI supports BASIC and 
DIGEST).  The client (HTTPAPI) sends back an authorization: header 
containing the details.

HTTPAPI provides routines named HTTP_setAuth and HTTP_getAuth to allow 
the caller to learn about and/or supply these authentication details. 
(such as supplying a password)

I don't understand why an additional routine 
(http_persist_negotiate_ntlm) would be necessary for this to work?!  I 
don't like that at all.  The caller should be able to (1) determine that 
a userid/password is needed by the 401 response, and (2) call setAuth to 
provide it...  and, aside from that, it should be seamless to the 
caller.   I don't want the caller to have to go through different coding 
efforts depending on the type of authenication required by the server!



On 4/23/2012 2:57 PM, Thomas Raddatz wrote:
> Hi Scott,
>
> I wonder if you ever spent a minute about NTLM authentication. Are you open
> for adding NTLM authentication to HTTPAPI?
>
> So far it seems to work for GET operations. I tried it with http_url_get()
> and with http_persist_open(), http_persist_get() and http_persist_close().
>
> I do not have a chance to test it with the POST operations because I do not
> yet have a web service on my IIS. I have to figure out to get that up and
> running. Using a POST operation for a static html page fails with an error
> message saying something like "post not allowed".
>
> On one side having NTLM authentication was a good enhancement to HTTP API
> but on the other side I do not know whether or not we would open Pandora's
> Box with it.
>
> Here is the list of changes. Feel free to take a look at it and please let
> me know what you think about it. Of course you can also get the source
> code. But I did not want to bother you with it unless you consider to look
> at it.
>
> Basically I used the source code of the JCIFS project to write "my" NTLM
> implementation. So far I implemented the LM compatibility levels 0-5 but
> without the signing option.
>
> Special thanks to Loek Maartens who pointed me to the right direction.
>
> Thomas.
>
> Changes to HTTP API 1.25beta2:
>
> QRPGLESRC:
> ----------
>
> HTTPAPI_H
>
> 1)  Added parameter 'peNtlm' to 'http_getauth'.
> 2)  Added parameter 'peDomain' to 'http_setauth'.
> 3)  Added prototype for procedure 'http_persist_negotiate_ntlm'.
> 4)  Added error code 'HTTP_NEGNTLM' which is sent by procdedure
>       'http_persist_negotiate_ntlm'.
> 5)  Added authentication type 'HTTP_AUTH_NTLM'.
>
> HTTPAPIR4
>
> 1)  Added prototype NTLM_H to include the NTLM service program
>       procedures.
> 2)  Added parameter 'peResetAuth' to 'interpret_auth', because
>       'interpret_auth' is being called twice for NTLM authentication.
> 3)  Added procedure 'nullWrite' that is used when sending
>       the NEGOTIATE (Type-1) message to the server.
> 4)  Added constants 'NTLM_NONE', 'NTLM_NEGOTIATE', 'NTLM_AUTHENTICATE'
>       and 'NTLM_CONNECTED' to keep track of the NTLM authentication
>       status.
> 5)  Added 'dsAuthNtlm', 'dsAuthNtlmStatus', 'dsAuthMsgNtlm' and
>       'dsAuthDomain' to data structure 'dsAuth' to store additional
>       NTLM authentication values.
> 6)  Setting 'wwReqChain' for NTLM authentication in procedure
>       'do_oper'.
> 7)  Changing return code of parse_resp_chain() back to '-1' in
>       procedure 'do_oper' after having received a 401 error for
>       POST/PUT data.
> 8)  Changing return code of parse_resp_chain() back to '-1' in
>       procedure 'do_oper' after having received a 401 error when the
>       program is not in NTLM authentication status.
> 9)  Added optional parameter 'peNtlm' to procedure 'http_getauth'.
> 10) Added optional parameter 'peDomain' to procedure 'http_setauth'.
> 11) Alowed authentication type 'HTTP_AUTH_NTLM' for procedure 'http_setauth'.
> 12) Setting NTLM specific values in procedure 'http_setauth'.
> 13) Added public procedure 'http_persist_negotiate_ntlm'.
> 14) Fixed 'interpret_auth' to properly retrieve the "WWW-Authenticate"
>       values. Procedure did not work for values that are not enclosed
>       in quotes. Header "WWW-Authenticate" appears twice in 401 response
>       messages:
> 	   WWW-Authenticate: Negotiate\r\n
> 	   WWW-Authenticate: NTLM\r\n
> 15) Added call to 'http_persist_negotiate_ntlm' after having executed
>       'http_persist_open' to 'http_url_get_raw' and 'http_url_post_raw'.
> 16) Changed 'parse_resp_chain' to parse multiple occurrences of
>       'WWW-Authenticate' headers.
> 17) Changed 'parse_resp_chain' to return a '401' error code when using
>       NTLM authentication.
> 18) Changed 'proxy_tunnel' to return '-1' when receiving a '401' from
>       'parse_resp_chain'.
>
> ENCRYPTR4 (RPGLE)
>
> 1)  New module providing data encryption and digest services.
>       (Uses MD4C for MD4 digest. Provides RC4, MD4, DES, MD5Digest
>       and MD5Hmac services.)
>
> NTLMR4 (RPGLE)
>
> 1)  New module providing NTLM authentication services.
>
> MD4C (C)
>
> 1)  New module. C implementation of the MD4 digest service of
>       RSA Data Security, Inc.
> 	
> QSRVSRC:
> --------
>
> HTTPAPI1
>
> 1)  Added procedure export 'http_persist_negotiate_ntlm'.
>
> HTTPAPI2
>
> 1)  Added procedure export 'http_persist_negotiate_ntlm'.
> 	
> QCLSRC:
> -------
>
> INSTALL
>
> 1)  Changed to create the new modules.
> 2)  Changed to add the new modules to binding directory QTEMP/HTTPAPIR4.
>
>
>
>
> Am 22.04.2012 14:22, schrieb Thomas Raddatz:
>> Hi,
>>
>> Is there somebody who has experiences in using the NTLM authentication
>> mechanism? I am trying to add NTLM authentication to HTTP API with less
>> success so far.
>>
>> Although all my RPGUnit test cases show "green" for all the various
>> procedures for calculating this and that, I cannot successfully connect to
>> the IIS server on my local desktop PC. I always get a 401 "Access Denied"
>> error message.
>>
>> I must be doing something wrong. Most likely it is something obviously that
>> I do not see. One thing I have in mind is the "keep-alive" header. When I
>> connect from my PC to the IIS on a virtual machine, I can see that both
>> (client and server) set the "keep-alive" header and that the
>> NTLMSSP_NEGOTIATE and NTLMSSP_AUTH messages are send through the same port.
>> As far as I understand HTTP API, HTTP API does not support the "keep-alive"
>> header and hence my RPG program uses different ports to send these messages.
>>
>> I gladly provide more details or my test library to everyone how want to
>> join me.
>>
>> Regards,
>>
>> Thomas.
>> -----------------------------------------------------------------------
>> This is the FTPAPI mailing list.  To unsubscribe, please go to:
>> http://www.scottklement.com/mailman/listinfo/ftpapi
>> -----------------------------------------------------------------------
>>
> -----------------------------------------------------------------------
> This is the FTPAPI mailing list.  To unsubscribe, please go to:
> http://www.scottklement.com/mailman/listinfo/ftpapi
> -----------------------------------------------------------------------
>

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------