[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to get back "NTLM authentication required" from http_getauth()?

   For sure it was great if we could include NTLM authentication in HTTP
   API. Most likely I did not understand you correctly but I thought that
   you did not like the idea of adding NTLM authentication to HTTP API at
   all. Therefore I asked for the best way of adding parameter "peNTLM"
   without breaking any compatibility.
   So far the patch seems to work for at least 3 users and I am wating for
   the final feedback of two more users.
   The patch supports NTLM v1, NTLM v1 + NTLM2 and NTLM v2. It does not
   (yet) support signing and sealing of messages. Maybe it is possible to
   add that in the future.
   I would gladly add parameter peNTLM to http_getAuth() if you agreed to
   adopt the patch. Feel free to read document
   PAPI_and_NTLM_v1.5.pdf to get an overview of the patch.
   Attached you find the list of changes of HTTP API and the source code
   of HTTPAPIR4. Search for "NTLM:" to see the changes.
   Let me know if you need further information to make your decision.
   ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx schrieb am 24.10.2012 05:25:34:
   > Von: sk@xxxxxxxxxxxxxxxx
   > An: ftpapi@xxxxxxxxxxxxxxxxxxxxxx,
   > Datum: 24.10.2012 05:42
   > Betreff: Re: How to get back "NTLM authentication required" from
   > http_getauth()?
   > Gesendet von: ftpapi-bounces@xxxxxxxxxxxxxxxxxxxxxx
   > Hi Thomas,
   > I don't understand why you want the peNTLM parameter to be
   > "unofficial"?  Why not make it a part of the base HTTPAPI
   > so that it will always be there and available to everyone who wants
   > use NTLM authentication?
   > -SK
   > On 10/23/2012 2:34 PM, Thomas Raddatz wrote:
   > > Hi Scott,
   > >
   > > For now users of the NTLM patch either have to know that the server
   > > requires NTLM authentication or they have to assume it, in case
   > > http_getAuth() returns "0" and "false" for "peBasic" and
   > >
   > > Since that is somewhat ugly I need a good idea how to extend the
   > > official HTTP API to get that information.
   > >
   > > Of course I could add an unofficial parameter "peNTLM" to
   > > http_getAuth() but I am concerned about that you might also add a
   > > parameter (conflicting with peNTLM) some time.
   > >
   > > Adding a new procedure to the export list is not a good idea as
   > > because it would conflict with every extension that you add in the
   > > future.
   > >
   > > Do you have a good idea how to solve the problem?
   > >
   > > Regards,
   > >
   > > Thomas.
   > >
   > > This is the FTPAPI mailing list.  To unsubscribe, please go to:
   > > [2]http://www.scottklement.com/mailman/listinfo/ftpapi
   > >
   > >
   > This is the FTPAPI mailing list.  To unsubscribe, please go to:
   > [3]http://www.scottklement.com/mailman/listinfo/ftpapi

   This email is confidential, may be legally privileged, and is for the
   intended recipient only. Access, disclosure, copying, distribution, or
   reliance on any of it by anyone else is prohibited and may be a
   offence. Please delete if obtained in error and email confirmation to
   the sender.


   1. http://www.tools400.de/Downloads/Freeware/Tools/FAQ/wsdl2rpg/FAQ_HTTPAPI_and_NTLM_v1.5.pdf
   2. http://www.scottklement.com/mailman/listinfo/ftpapi
   3. http://www.scottklement.com/mailman/listinfo/ftpapi
Changes to HTTPAPI 1.25beta2 to add NTLM authentication



1)  Added authentication type 'HTTP_AUTH_NTLM'.
2)  Added compiler condition HAVE_NTLM.


1)  Added prototype NTLM_H to include the NTLM authentication
2)  Added parameter 'peResetAuth' to 'interpret_auth', because
    'interpret_auth' is being called twice for NTLM authentication.
3)  Added 'wwSaveProc' and 'wwFile' to do_oper() in order to 
    save the actual "receive document" procedure when receiving 
    the 401 error page for NTLM authentication.
5)  Added call to procedure NTLM_produceAuthenticationHeader() to
    do_oper() to produce the "Authorization" HTTP header for NTLM
6)  Added call to procedure NTLM_mustReceiveAuthErrorPage() to
    do_oper() to determine whether or not to receive the 401 error
    page when using NTLM authentication. We must receive the error 
    page because we have to use a persistent connection for NTLM. If 
    we do not receive the error page we will get it later with the 
    regular data.
7)  Changed call to RecvChunk() and RecvDoc() in do_oper() to use 
    'wwSaveProc' and 'wwFile' to receive the 401 error page.
8)  Added call to NTLM_isAuthenticationRequired() to http_getAuth() 
    because there is no REALM for NTLM authentication. Otherwise 
    http_getAuth() ends with a "Server did not ask for authentication 
9)  Added call to NTLM_getRealm() to http_getAuth() to get the server
    realm for NTLM authentication.
10) Added call to NTLM_setAuthentication() to procedure http_setauth() 
    to pass the username and password to the NTLM login module.
11) Added parameter 'peResetAuth' to interpret_auth() to reset the 
    authentication values when interpret_auth() is called for the 
    first time.
12) Added call to NTLM_resetAuthentication() to interpret_auth() to 
    reset the NTLM login module when interpret_auth() is called for 
    the first time.
13) Added call to NTLM_interpretAuthenticationHeader() to 
    interpret_auth() to let the NTLM login module parse the HTTP 
    headers for NTLM authentication.
14) Added call to NTLM_negotiateAuthentication() to http_persist_req() 
    to negotiate the NTLM parameters with the server when NTLM
    authentication is requested.
15) Added field 'wwResetAuth' to parse_resp_chain() to make 
    interpret_auth() reset the authentication values when it is called 
    for the first time.


1)  Changed http_dwrite() to append NTLM version information to the 
    debug log.


1)  New module providing data encryption and digest services.
    (Uses MD4C4 for MD4 digest. Provides RC4, MD4, DES, MD5Digest and
     MD5Hmac services.)


1)  New module providing NTLM authentication services.

MD4C4 (C)

1)  New module. C implementation of the MD4 digest service of
    RSA Data Security, Inc.


1)  New module. RPGLE implementation of the MD4 digest service of
    RSA Data Security, Inc.


1)  Prototypes of MD4C4 and MD4R4.


1)  Public prototypes of the NTLM authentication extension.


1)  Private prototypes of the NTLM authentication extension.


1)  Changed to create the new modules.
2)  Changed to add the new modules to binding directory QTEMP/HTTPAPIR4.

Thomas Raddatz, 16.4.2012.

Attachment: HTTPAPIR4.MBR
Description: Binary data

This is the FTPAPI mailing list.  To unsubscribe, please go to: