Hi Scott,
There is no need for calling http_persist_negotiate_ntlm(), when using
http_url_get() or http_url_post(). In these cases
http_persist_negotiate_ntlm() is called under the cover right after
http_persist_open().
The problem with NTLM authentication is that it authenticates
connections and not requests. Therefore it cannot be called from
http_setauth(). See the following web page for details:
"Keeping the connection alive"
[1]http://www.innovation.ch/personal/ronald/ntlm.html
But if you want to use a persistent connection for multiple GET or POST
operations, you need to call http_persist_negotiate_ntlm() as you do it
with http_persist_open(), http_persist_close() and the other
http_persist* procedures for POST or GET operations.
Maybe you want to have a look at the attached samples, which work
nicely in my test environment. Most likely the sample programs better
explain as things work than I can do it.
Regards,
Thomas.
ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx schrieb am 23.04.2012 22:49:00:
> Von: sk@xxxxxxxxxxxxxxxx
> An: ftpapi@xxxxxxxxxxxxxxxxxxxxxx,
> Datum: 23.04.2012 22:55
> Betreff: Re: NTLM Authentication Project
> Gesendet von: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
>
> Hi Thomas,
>
> I have never worked with a server that uses NTLM authentication. I do
> not have access to a server that uses it that I could test it with.
>
> In other forms of authorization, the HTTP server sends a
> www-authenticate header along with a 401 response code to notify the
> client that authentication is required, and to specify the types of
> authenication that can be used (Currently, HTTPAPI supports BASIC and
> DIGEST). The client (HTTPAPI) sends back an authorization: header
> containing the details.
>
> HTTPAPI provides routines named HTTP_setAuth and HTTP_getAuth to
allow
> the caller to learn about and/or supply these authentication details.
> (such as supplying a password)
>
> I don't understand why an additional routine
> (http_persist_negotiate_ntlm) would be necessary for this to work?!
I
> don't like that at all. The caller should be able to (1) determine
that
> a userid/password is needed by the 401 response, and (2) call setAuth
to
> provide it... and, aside from that, it should be seamless to the
> caller. I don't want the caller to have to go through different
coding
> efforts depending on the type of authenication required by the
server!
>
>
>
> On 4/23/2012 2:57 PM, Thomas Raddatz wrote:
> > Hi Scott,
> >
> > I wonder if you ever spent a minute about NTLM authentication. Are
you open
> > for adding NTLM authentication to HTTPAPI?
> >
> > So far it seems to work for GET operations. I tried it with
http_url_get()
> > and with http_persist_open(), http_persist_get() and
http_persist_close().
> >
> > I do not have a chance to test it with the POST operations because
I do not
> > yet have a web service on my IIS. I have to figure out to get that
up and
> > running. Using a POST operation for a static html page fails with
an error
> > message saying something like "post not allowed".
> >
> > On one side having NTLM authentication was a good enhancement to
HTTP API
> > but on the other side I do not know whether or not we would open
Pandora's
> > Box with it.
> >
> > Here is the list of changes. Feel free to take a look at it and
please let
> > me know what you think about it. Of course you can also get the
source
> > code. But I did not want to bother you with it unless you consider
to look
> > at it.
> >
> > Basically I used the source code of the JCIFS project to write "my"
NTLM
> > implementation. So far I implemented the LM compatibility levels
0-5 but
> > without the signing option.
> >
> > Special thanks to Loek Maartens who pointed me to the right
direction.
> >
> > Thomas.
> >
> > Changes to HTTP API 1.25beta2:
> >
> > QRPGLESRC:
> > ----------
> >
> > HTTPAPI_H
> >
> > 1) Added parameter 'peNtlm' to 'http_getauth'.
> > 2) Added parameter 'peDomain' to 'http_setauth'.
> > 3) Added prototype for procedure 'http_persist_negotiate_ntlm'.
> > 4) Added error code 'HTTP_NEGNTLM' which is sent by procdedure
> > 'http_persist_negotiate_ntlm'.
> > 5) Added authentication type 'HTTP_AUTH_NTLM'.
> >
> > HTTPAPIR4
> >
> > 1) Added prototype NTLM_H to include the NTLM service program
> > procedures.
> > 2) Added parameter 'peResetAuth' to 'interpret_auth', because
> > 'interpret_auth' is being called twice for NTLM
authentication.
> > 3) Added procedure 'nullWrite' that is used when sending
> > the NEGOTIATE (Type-1) message to the server.
> > 4) Added constants 'NTLM_NONE', 'NTLM_NEGOTIATE',
'NTLM_AUTHENTICATE'
> > and 'NTLM_CONNECTED' to keep track of the NTLM authentication
> > status.
> > 5) Added 'dsAuthNtlm', 'dsAuthNtlmStatus', 'dsAuthMsgNtlm' and
> > 'dsAuthDomain' to data structure 'dsAuth' to store additional
> > NTLM authentication values.
> > 6) Setting 'wwReqChain' for NTLM authentication in procedure
> > 'do_oper'.
> > 7) Changing return code of parse_resp_chain() back to '-1' in
> > procedure 'do_oper' after having received a 401 error for
> > POST/PUT data.
> > 8) Changing return code of parse_resp_chain() back to '-1' in
> > procedure 'do_oper' after having received a 401 error when
the
> > program is not in NTLM authentication status.
> > 9) Added optional parameter 'peNtlm' to procedure 'http_getauth'.
> > 10) Added optional parameter 'peDomain' to procedure
'http_setauth'.
> > 11) Alowed authentication type 'HTTP_AUTH_NTLM' for procedure
> 'http_setauth'.
> > 12) Setting NTLM specific values in procedure 'http_setauth'.
> > 13) Added public procedure 'http_persist_negotiate_ntlm'.
> > 14) Fixed 'interpret_auth' to properly retrieve the
"WWW-Authenticate"
> > values. Procedure did not work for values that are not
enclosed
> > in quotes. Header "WWW-Authenticate" appears twice in 401
response
> > messages:
> > WWW-Authenticate: Negotiate\r\n
> > WWW-Authenticate: NTLM\r\n
> > 15) Added call to 'http_persist_negotiate_ntlm' after having
executed
> > 'http_persist_open' to 'http_url_get_raw' and
'http_url_post_raw'.
> > 16) Changed 'parse_resp_chain' to parse multiple occurrences of
> > 'WWW-Authenticate' headers.
> > 17) Changed 'parse_resp_chain' to return a '401' error code when
using
> > NTLM authentication.
> > 18) Changed 'proxy_tunnel' to return '-1' when receiving a '401'
from
> > 'parse_resp_chain'.
> >
> > ENCRYPTR4 (RPGLE)
> >
> > 1) New module providing data encryption and digest services.
> > (Uses MD4C for MD4 digest. Provides RC4, MD4, DES, MD5Digest
> > and MD5Hmac services.)
> >
> > NTLMR4 (RPGLE)
> >
> > 1) New module providing NTLM authentication services.
> >
> > MD4C (C)
> >
> > 1) New module. C implementation of the MD4 digest service of
> > RSA Data Security, Inc.
> >
> > QSRVSRC:
> > --------
> >
> > HTTPAPI1
> >
> > 1) Added procedure export 'http_persist_negotiate_ntlm'.
> >
> > HTTPAPI2
> >
> > 1) Added procedure export 'http_persist_negotiate_ntlm'.
> >
> > QCLSRC:
> > -------
> >
> > INSTALL
> >
> > 1) Changed to create the new modules.
> > 2) Changed to add the new modules to binding directory
QTEMP/HTTPAPIR4.
> >
> >
> >
> >
> > Am 22.04.2012 14:22, schrieb Thomas Raddatz:
> >> Hi,
> >>
> >> Is there somebody who has experiences in using the NTLM
authentication
> >> mechanism? I am trying to add NTLM authentication to HTTP API with
less
> >> success so far.
> >>
> >> Although all my RPGUnit test cases show "green" for all the
various
> >> procedures for calculating this and that, I cannot successfully
connect to
> >> the IIS server on my local desktop PC. I always get a 401 "Access
Denied"
> >> error message.
> >>
> >> I must be doing something wrong. Most likely it is something
obviously that
> >> I do not see. One thing I have in mind is the "keep-alive" header.
When I
> >> connect from my PC to the IIS on a virtual machine, I can see that
both
> >> (client and server) set the "keep-alive" header and that the
> >> NTLMSSP_NEGOTIATE and NTLMSSP_AUTH messages are send through the
same port.
> >> As far as I understand HTTP API, HTTP API does not support the
"keep-alive"
> >> header and hence my RPG program uses different ports to send
> these messages.
> >>
> >> I gladly provide more details or my test library to everyone how
want to
> >> join me.
> >>
> >> Regards,
> >>
> >> Thomas.
> >>
-----------------------------------------------------------------------
> >> This is the FTPAPI mailing list. To unsubscribe, please go to:
> >> [2]http://www.scottklement.com/mailman/listinfo/ftpapi
> >>
-----------------------------------------------------------------------
> >>
> >
-----------------------------------------------------------------------
> > This is the FTPAPI mailing list. To unsubscribe, please go to:
> > [3]http://www.scottklement.com/mailman/listinfo/ftpapi
> >
-----------------------------------------------------------------------
> >
>
>
-----------------------------------------------------------------------
> This is the FTPAPI mailing list. To unsubscribe, please go to:
> [4]http://www.scottklement.com/mailman/listinfo/ftpapi
>
-----------------------------------------------------------------------
--
IMPORTANT NOTICE:
This email is confidential, may be legally privileged, and is for the
intended recipient only. Access, disclosure, copying, distribution, or
reliance on any of it by anyone else is prohibited and may be a
criminal
offence. Please delete if obtained in error and email confirmation to
the sender.
References
1. http://www.innovation.ch/personal/ronald/ntlm.html
2. http://www.scottklement.com/mailman/listinfo/ftpapi
3. http://www.scottklement.com/mailman/listinfo/ftpapi
4. http://www.scottklement.com/mailman/listinfo/ftpapi
Attachment:
HTTPAPI_NTLM_Samples.zip
Description: Zip archive
----------------------------------------------------------------------- This is the FTPAPI mailing list. To unsubscribe, please go to: http://www.scottklement.com/mailman/listinfo/ftpapi -----------------------------------------------------------------------