[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: HTTPAPI and NTLM or SPNEGO Help

From: Thomas Raddatz <thomas.raddatz@xxxxxxxxxxx>
To: ftpapi@xxxxxxxxxxxxxxxxxxxxxx
Subject: Fwd: Re: HTTPAPI and NTLM or SPNEGO Help
Date: Fri, 21 Sep 2012 19:50:56 +0200

Second try to let this message show up in the list. Scott, does thatmessage not show up because of the problems you mentioned?


Thomas.

-------- Original-Nachricht --------
Betreff: Re: HTTPAPI and NTLM or SPNEGO Help
Datum: Wed, 19 Sep 2012 20:11:51 +0200
Von: Thomas Raddatz <thomas.raddatz@xxxxxxxxxxx>
An: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>

Brett,

As I already mentioned in my private email, you may want to give my NTLM
patch a try. The patch works for HTTPAPI v1.15beta2.

Most changes are encapsulated in separate modules. There are only a few
changes to HTTPAPIR4 and HTTPAPI_H.

From an outside view NTLM authentication works the same as for BASIC and
DIGEST authentication. But for a better performance you need to use a
persistent connection, since NTLM secures a session and not a request. A
typical request goes like this:

  client sends actual request
  server rejects request with "not authenticated"
  client sends a NEGOTIATE message to the server exposing his capabilities
  server responds with a CHALLENGE message

  client sends a AUTHENTICATE message along with the actual request
  server responds to that message

In contrast to that, BASIC authentication works like this:

  client sends actual request
  server rejects request with "not authenticated"

  client sends actual request with BASIC authentication header
  server responds to that message

As you can see there are two additional requests exchanged between a client
and the server when using NTLM authentication. In order to avoid that
overhead one may consider to use a persistent connection, which goes like this:

  client sends request
  server rejects request with "not authenticated"
  client sends a NEGOTIATE message to the server exposing his capabilities
  server responds with a CHALLENGE message

Now, the client can repeat sending requests until the connection is closed:

  client sends a AUTHENTICATE message along with the actual request
  server responds to that message
  ...
  client sends a AUTHENTICATE message along with the actual request
  server responds to that message

Here is an example of a simple GET:

   URL = 'http://' + Job_getTcpIpAddr() + '/index.html';
   IFS = '/home/raddatz/httpapi_example25.html';

   rc = http_url_get(URL: IFS);
   if (rc <> 1);
      http_error(err);
      if (err = HTTP_NDAUTH);
         if (http_getauth(basic: digest: realm) = 0);
            http_setauth(HTTP_AUTH_NTLM: user: password);
            rc = http_url_get(URL: IFS);
         endif;
      endif;
   endif;

Please notice that http_setauth() does not have a parameter for NTLM
authentication. Either you know that the server uses NTLM authentication or
you can assume NTLM authentication in case 'basic' and 'digest' are *OFF
and the return value is '0'.

Last but not least here is an example of a persistent connection:

   URL = 'http://' + Job_getTcpIpAddr() + '/HelloWorld.asmx';
   IFS = '/home/raddatz/httpapi_example37.xml';

   // Open output file
   fd = open(IFS: O_WRONLY + O_TRUNC + O_CREAT + O_CCSID: 511: 819);

   postData =
      '<soapenv:Envelope +
          xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; +
          xmlns:tem="http://tempuri.org/";>+
          <soapenv:Header/>+
          <soapenv:Body>+
             <tem:HelloWorld/>+
          </soapenv:Body>+
       </soapenv:Envelope>';

   // Open persistent connection
   pComm = http_persist_open(URL);

   // Set credentials, I know that it is NTLM authentication ;-)
   http_setauth(HTTP_AUTH_NTLM: user: password);

   // Call the web service twice and write the response to a stmf
   dou '1';
      if ( http_persist_post( pComm: URL: 0: *null
                            : %addr(postData)+2: %len(postData)
                            : fd: %paddr('write')) = -1);
          leave;
       endif;
      if ( http_persist_post( pComm: URL: 0: *null
                            : %addr(postData)+2: %len(postData)
                            : fd: %paddr('write')) = -1);
          leave;
       endif;
   enddo;

   // Close http connection
   http_persist_close(pComm);

   // Close output file
   callp close(fd);

Regards,

Thomas.

Am 19.09.2012 13:21, schrieb Brett Elston:

[1][cid:112091913273002402@mail28.mimecast.co.za]

Hi Folks,

I am busy trying to implement web services between our iSeries and a
Navision system. Navision does not use IIS for authentication and hence
neither Basic or Digest authentication is enabled. The only protocols
Navision will accept are SPNEGO or NTLM - thanks for that Microsoft.

Using HTTPAPI to connect to the url for the WSDL simply refuses
access, even with supplying a user and password, and returns an error
"36 This page requires a user-id & password". This I assume as only
Basic and Digest are currently supported.

Is this a problem that anyone has managed to resolve? I did read
through the archive topics for NTLM but did not find a solution.

I have been looking into perhaps trying to implement SPNEGO encryption
based on the article,
[2]http://msdn.microsoft.com/en-us/library/ms995331.aspx , but am
hoping that someone in this forum has managed to find an answer.

Any help with this would be much appreciated.

If no solution is currently available, I am more than willing to supply
time and any code, to this project, if given a shove in the right
technical direction.

Regards

Brett

Brett Elston
Developer
National Airways Corporation
T
F
E brett.elston@xxxxxxxxx
[3]www.nac.co.za

[4][cid:112091913273002302@mail28.mimecast.co.za]

[5][cid:112091913273002502@mail28.mimecast.co.za]
[6]Find us on Facebook
[7]Join us on LinkedIn

Disclaimer: The email message and its attachments are subject to the
disclaimer published at [8]http://www.nac.co.za/disclaimer.html
If you cannot access the disclaimer, please obtain a copy thereof from
us, by sending an email to [9]disclaimer@xxxxxxxxx

References

1. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=c05885ed1747b6dd94313894a59fef86
2. http://msdn.microsoft.com/en-us/library/ms995331.aspx
3. http://www.nac.co.za/
4. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=c708dd5573f0dd1f1843dcfa8c550a52
5. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=4a56c828b81942e3217529ef9c7e7250
6. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=62d88e4dcfa6c43da17ba19f4f504b79
7. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=acabf02a5133ae33d5a385c49ef6ec4d
8. http://www.nac.co.za/disclaimer.html
9. mailto:disclaimer@xxxxxxxxx

-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------



-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------

Prev by Date: HTTPAPI/WSDL2RPG and NTLM - resolved.
Next by Date: Re: What should we do with this list?
Previous by thread: HTTPAPI and NTLM or SPNEGO Help
Next by thread: What should we do with this list?
Index(es):
- Date
- Thread