Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

NTLM authentication with IIS 6

by mrlizard123 (Novice)
on Apr 16, 2013 at 15:02 UTC ( #1028944=perlquestion: print w/ replies, xml ) Need Help??
mrlizard123 has asked for the wisdom of the Perl Monks concerning the following question:

Using this adapted sample script it seems that it's not submitting the domain part of the user credentials to the server and I'm getting an unauthorised message.

Server rejects anything < NTLM2

#!/usr/bin/perl use LWP::UserAgent; use Authen::NTLM; use HTTP::Request::Common; use HTTP::Response; ntlmv2(1); my $url = 'http://server:port/path/script.aspx'; my $username="domain\\user_name"; my $password='password' ; my $host = 'server:port'; my $ua = LWP::UserAgent->new( keep_alive => 1 ); $ua->credentials( $host, '', $username, $password); my $req = GET $url; my $response = $ua->request($req); printf " %s\n", $response->status_line; printf "\n\n\n" . $response->content();

Gives me an error

"HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials."

Wireshark on the IIS server shows (amongst other things)

NTLMSSP NTLMSSP identified: NTLMSSP NTLM Message Type: NTLMSSP_AUTH (0x00000003) Lan Manager Response: [BLANKED OUT] NTLM Response: [BLANKED OUT] Domain name: ???? User name: user_name Host name: user_name Session key: Empty Flags: 0x00088205 Host: server:port

The "????" is the value for domain (or wireshark shows ???? for blank values, I'm not sure). Tried "forsmbg"s suggested fix for setting of $domain from here https://rt.cpan.org/Public/Bug/Display.html?id=9521#txn-1096169 but this doesn't make any difference.

Any suggestions on how to proceed gratefully received!

Comment on NTLM authentication with IIS 6
Select or Download Code
Re: NTLM authentication with IIS 6
by Khen1950fx (Canon) on Apr 16, 2013 at 16:19 UTC
    Have you tried LWP::Authen::Ntlm? It seems like such a good fit.
    #!/usr/bin/perl -l use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common; my $url = 'http://server:port/path/script.aspx'; my $user = 'domain\\user'; my $pass = 'password'; my $host = 'server:port'; my $ua = LWP::UserAgent->new( keep_alive => 1 ); $ua->credentials($host, '', $user, $pass); my $req = GET $url; my $response = $ua->request($req); if ($response->is_success) { printf " %s\n", $response->status_line; printf "\n\n\n" . $response->content(); } else { print "Something's not right... ->" . $response->code; }

      Yes I tried that and unfortunately getting this

      LWP::UserAgent::new: () LWP::UserAgent::request: () LWP::UserAgent::send_request: GET http://server:port/path/script.aspx LWP::UserAgent::_need_proxy: Not proxied LWP::Protocol::http::request: () LWP::Protocol::collect: read 808 bytes LWP::Protocol::collect: read 848 bytes LWP::Protocol::http::request: Keep the http connection to server:port LWP::UserAgent::request: Simple response: Unauthorized LWP::Authen::Ntlm::authenticate: authenticate() has been called LWP::Authen::Ntlm::authenticate: In first phase of NTLM authentication LWP::Authen::Ntlm::authenticate: Returning response object with auth h +eader: Authorization NTLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +XXXXXXXXXXXXXXXXX LWP::UserAgent::request: () LWP::UserAgent::send_request: GET http://server:port/path/script.aspx LWP::UserAgent::_need_proxy: Not proxied LWP::Protocol::http::request: () LWP::Protocol::collect: read 100 bytes LWP::UserAgent::request: Simple response: Internal Server Error Something's not right... ->500

      I changed the server/port/path and the Authorization NTLM but otherwise this is the output.

      The webserver server has a group policy applied which means I must use NTLMv2...

      Using an old version of Perl.. should probably have mentioned that; 5.6.1.

      Using the same credentials in a browser same url it works fine, on a server with the group policy disabled I don't have these problems either. (unfortunately disabling the policy is not an option...)

      I'd have pulled my hair out by now if I had any!

        It's possible you are running into the same issue I am, in my case the policy is set on the server (NtlmMinClientSec) to 0x20080030.. In short it's 128-bit encryption, NTLMv2 session security, Message confidentiality, Message integrity.

        It's still v2 but with additional minimum NTLMSSP requirements that may or may not be implemented..

      Have you tried LWP::Authen::Ntlm? It seems like such a good fit.

      LWP::Authen::Ntlm uses Authen::NTLM, and neither should need to be explicitly included in the script, as the type of authentication is detected and the NTLM libraries are auto-included.

      Update: Except that it doesn't detect NTLM V1 vs V2, so Authen::NTLM does need to be explicitly included (see below).

        LWP::Authen::Ntlm uses Authen::NTLM, and neither should need to be explicitly included, as the type of authentication is detected and the NTLM libraries are auto-included.

        If I do not explicitly use Authen:NTLM I get:

        Undefined subroutine &main::ntlmv2

        Whether I specify them or not in the suggestion by Khen1950fx I still get response code of '500' with content:

        <html><head><title>Error</title></head><body>The function requested is + not supported </body></html>
Re: NTLM authentication with IIS 6
by jakeease (Friar) on Apr 17, 2013 at 06:02 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1028944]
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (10)
As of 2014-08-22 10:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (153 votes), past polls