Ntlm with curl returns 401
Goal: connecting to an Exchange server (EWS)
Method: cURL
Problem: Cannot get authenticated (NTLM), request returns 401.1
There seems to be an old, well documented 2 issue that started with cURL’s move from OpenSSL to NSS. I read that the implementation of NTLM is dependant on OpenSSL, and therefore this move broke the NTLM authentication.
The issue is shown below, but the important parts seem to be the returned 401
and the gss_init_sec_context()
below that.
The thing I don’t understand is that my current version:
I’m not sure how this can be fixed. I could find a lot of old (mostly 2022) references to this problem, but nothing new, and certainly nothing with a sollution. I know that provided references (see 2) show that this might work with an older version (7.19), but I am not able (nor willing) to downgrade to that version.
Several implementations of Exchange-communication (EWS) use cURL to retreive the EWS files (wsdl etc), so I’m sure there must be a working method around but I can’t find it. Does anyone have a clue what I can do? Do I have another bug, am I interpreting the facts wrong and is this still the same situation as provided in the links and it will never be fixed?
1 The error goes something like this:
curl https://*DOMAIN*/Exchange.asmx -w %{http_code} --ntlm -u *USERNAME* --verbose --show-error
Enter host password for user '*USERNAME':
* About to connect() to DOMAIN port 443 (#0)
* Trying IP... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*SNIP*
* SSL certificate verify ok.
* Server auth using NTLM with user 'USERNAME'
> GET /EWS/Exchange.asmx HTTP/1.1
> Authorization: NTLM *snip*
> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: DOMAIN
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: Microsoft-IIS/7.5
< Set-Cookie: exchangecookie=xxx; expires=Wed, 17-Jul-2022 07:45:30 GMT; path=/; HttpOnly
< WWW-Authenticate: NTLM *SNIP*
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_1005' not foundWWW-Authenticate: Negotiate
< X-Powered-By: ASP.NET
< Date: Tue, 17 Jul 2022 07:45:30 GMT
< Content-Length: 0
<
* Connection #0 to host DOMAIN left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
2 for instance :
curl info:
user@server:~$ curl -V
curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Proxy authentiacation with ntlm via curl returns 407 even with proper credentials
I’m trying to access a server using a proxy that uses NTLM authentication.
The problem is that even if I give the correct credentials (I’ve tested them with Firefox and the proxy, port, username and password are correct) I receive 407 (proxy requires authentication).
I’ve tried using CURLAUTH_NTLM, CURLAUTH_NTLM and a logical combination of both and still nothing.
I’ve using the latest version of cURL (7.42.1) and the latest version of openSSL (1.0.2).
Can anyone please tell me what I’m doing wrong?
This is my C/C code:
int _main()
{
CURL *hCurl;
CURLcode curlCode;
char username[] = "domain\user";
char password[] = "pass";
char proxy[] = "myproxy:8080";
char url[] = "http://some_random_url.com";
hCurl = curl_easy_init();
if(hCurl)
{
curl_easy_setopt(hCurl, CURLOPT_URL, url);
curlCode = curl_easy_setopt(hCurl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
curlCode = curl_easy_setopt(hCurl, CURLOPT_PROXY, proxy);
curlCode = curl_easy_setopt(hCurl, CURLOPT_HTTPAUTH, /*CURLAUTH_BASIC | */CURLAUTH_NTLM);
curlCode = curl_easy_setopt(hCurl, CURLOPT_PROXYUSERNAME, username);
curlCode = curl_easy_setopt(hCurl, CURLOPT_PROXYPASSWORD, password);
while(true)
{
curlCode = curl_easy_perform(hCurl);
/* Check for errors */
if(curlCode != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %sn",
curl_easy_strerror(curlCode));
Sleep(3000);
}
curl_easy_cleanup(hCurl);
}
getchar();
return 0;
}