[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: Re: HTTPAPI and NTLM or SPNEGO Help
Second try to let this message show up in the list. Scott, does that
message not show up because of the problems you mentioned?
Thomas.
-------- Original-Nachricht --------
Betreff: Re: HTTPAPI and NTLM or SPNEGO Help
Datum: Wed, 19 Sep 2012 20:11:51 +0200
Von: Thomas Raddatz <thomas.raddatz@xxxxxxxxxxx>
An: HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Brett,
As I already mentioned in my private email, you may want to give my NTLM
patch a try. The patch works for HTTPAPI v1.15beta2.
Most changes are encapsulated in separate modules. There are only a few
changes to HTTPAPIR4 and HTTPAPI_H.
From an outside view NTLM authentication works the same as for BASIC and
DIGEST authentication. But for a better performance you need to use a
persistent connection, since NTLM secures a session and not a request. A
typical request goes like this:
client sends actual request
server rejects request with "not authenticated"
client sends a NEGOTIATE message to the server exposing his capabilities
server responds with a CHALLENGE message
client sends a AUTHENTICATE message along with the actual request
server responds to that message
In contrast to that, BASIC authentication works like this:
client sends actual request
server rejects request with "not authenticated"
client sends actual request with BASIC authentication header
server responds to that message
As you can see there are two additional requests exchanged between a client
and the server when using NTLM authentication. In order to avoid that
overhead one may consider to use a persistent connection, which goes like this:
client sends request
server rejects request with "not authenticated"
client sends a NEGOTIATE message to the server exposing his capabilities
server responds with a CHALLENGE message
Now, the client can repeat sending requests until the connection is closed:
client sends a AUTHENTICATE message along with the actual request
server responds to that message
...
client sends a AUTHENTICATE message along with the actual request
server responds to that message
Here is an example of a simple GET:
URL = 'http://' + Job_getTcpIpAddr() + '/index.html';
IFS = '/home/raddatz/httpapi_example25.html';
rc = http_url_get(URL: IFS);
if (rc <> 1);
http_error(err);
if (err = HTTP_NDAUTH);
if (http_getauth(basic: digest: realm) = 0);
http_setauth(HTTP_AUTH_NTLM: user: password);
rc = http_url_get(URL: IFS);
endif;
endif;
endif;
Please notice that http_setauth() does not have a parameter for NTLM
authentication. Either you know that the server uses NTLM authentication or
you can assume NTLM authentication in case 'basic' and 'digest' are *OFF
and the return value is '0'.
Last but not least here is an example of a persistent connection:
URL = 'http://' + Job_getTcpIpAddr() + '/HelloWorld.asmx';
IFS = '/home/raddatz/httpapi_example37.xml';
// Open output file
fd = open(IFS: O_WRONLY + O_TRUNC + O_CREAT + O_CCSID: 511: 819);
postData =
'<soapenv:Envelope +
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" +
xmlns:tem="http://tempuri.org/">+
<soapenv:Header/>+
<soapenv:Body>+
<tem:HelloWorld/>+
</soapenv:Body>+
</soapenv:Envelope>';
// Open persistent connection
pComm = http_persist_open(URL);
// Set credentials, I know that it is NTLM authentication ;-)
http_setauth(HTTP_AUTH_NTLM: user: password);
// Call the web service twice and write the response to a stmf
dou '1';
if ( http_persist_post( pComm: URL: 0: *null
: %addr(postData)+2: %len(postData)
: fd: %paddr('write')) = -1);
leave;
endif;
if ( http_persist_post( pComm: URL: 0: *null
: %addr(postData)+2: %len(postData)
: fd: %paddr('write')) = -1);
leave;
endif;
enddo;
// Close http connection
http_persist_close(pComm);
// Close output file
callp close(fd);
Regards,
Thomas.
Am 19.09.2012 13:21, schrieb Brett Elston:
[1][cid:112091913273002402@mail28.mimecast.co.za]
Hi Folks,
I am busy trying to implement web services between our iSeries and a
Navision system. Navision does not use IIS for authentication and hence
neither Basic or Digest authentication is enabled. The only protocols
Navision will accept are SPNEGO or NTLM - thanks for that Microsoft.
Using HTTPAPI to connect to the url for the WSDL simply refuses
access, even with supplying a user and password, and returns an error
"36 This page requires a user-id & password". This I assume as only
Basic and Digest are currently supported.
Is this a problem that anyone has managed to resolve? I did read
through the archive topics for NTLM but did not find a solution.
I have been looking into perhaps trying to implement SPNEGO encryption
based on the article,
[2]http://msdn.microsoft.com/en-us/library/ms995331.aspx , but am
hoping that someone in this forum has managed to find an answer.
Any help with this would be much appreciated.
If no solution is currently available, I am more than willing to supply
time and any code, to this project, if given a shove in the right
technical direction.
Regards
Brett
Brett Elston
Developer
National Airways Corporation
T
F
E brett.elston@xxxxxxxxx
[3]www.nac.co.za
[4][cid:112091913273002302@mail28.mimecast.co.za]
[5][cid:112091913273002502@mail28.mimecast.co.za]
[6]Find us on Facebook
[7]Join us on LinkedIn
Disclaimer: The email message and its attachments are subject to the
disclaimer published at [8]http://www.nac.co.za/disclaimer.html
If you cannot access the disclaimer, please obtain a copy thereof from
us, by sending an email to [9]disclaimer@xxxxxxxxx
References
1. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=c05885ed1747b6dd94313894a59fef86
2. http://msdn.microsoft.com/en-us/library/ms995331.aspx
3. http://www.nac.co.za/
4. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=c708dd5573f0dd1f1843dcfa8c550a52
5. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=4a56c828b81942e3217529ef9c7e7250
6. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=62d88e4dcfa6c43da17ba19f4f504b79
7. https://mail28.mimecast.co.za/mimecast/click?account=CSA14A7&code=acabf02a5133ae33d5a385c49ef6ec4d
8. http://www.nac.co.za/disclaimer.html
9. mailto:disclaimer@xxxxxxxxx
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------