NTLM authentication with IIS 6

mrlizard123 has asked for the wisdom of the Perl Monks concerning the following question:

Using this adapted sample script it seems that it's not submitting the domain part of the user credentials to the server and I'm getting an unauthorised message.

Server rejects anything < NTLM2

#!/usr/bin/perl
use LWP::UserAgent;
use Authen::NTLM;
use HTTP::Request::Common;
use HTTP::Response;

ntlmv2(1);

my $url = 'http://server:port/path/script.aspx';
my $username="domain\\user_name";
my $password='password' ;
my $host = 'server:port';
my $ua = LWP::UserAgent->new( keep_alive => 1 );

$ua->credentials( $host, '', $username, $password);

my $req = GET $url;

my $response = $ua->request($req);

printf " %s\n", $response->status_line;

printf "\n\n\n" . $response->content();
[download]

Gives me an error

"HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials."

Wireshark on the IIS server shows (amongst other things)

NTLMSSP
 NTLMSSP identified: NTLMSSP
 NTLM Message Type: NTLMSSP_AUTH (0x00000003)
 Lan Manager Response: [BLANKED OUT]
 NTLM Response: [BLANKED OUT]
 Domain name: ????
 User name: user_name
 Host name: user_name
 Session key: Empty
 Flags: 0x00088205
Host: server:port
[download]

The "????" is the value for domain (or wireshark shows ???? for blank values, I'm not sure). Tried "forsmbg"s suggested fix for setting of $domain from here https://rt.cpan.org/Public/Bug/Display.html?id=9521#txn-1096169 but this doesn't make any difference.

Any suggestions on how to proceed gratefully received!

Comment on NTLM authentication with IIS 6 Select or Download Code

Replies are listed 'Best First'.
Re: NTLM authentication with IIS 6 by Khen1950fx (Canon) on Apr 16, 2013 at 16:19 UTC
Have you tried LWP::Authen::Ntlm? It seems like such a good fit. #!/usr/bin/perl -l use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common; my $url = 'http://server:port/path/script.aspx'; my $user = 'domain\\user'; my $pass = 'password'; my $host = 'server:port'; my $ua = LWP::UserAgent->new( keep_alive => 1 ); $ua->credentials($host, '', $user, $pass); my $req = GET $url; my $response = $ua->request($req); if ($response->is_success) { printf " %s\n", $response->status_line; printf "\n\n\n" . $response->content(); } else { print "Something's not right... ->" . $response->code; } [download]	[reply] [d/l]
Re^2: NTLM authentication with IIS 6 by runrig (Abbot) on Apr 16, 2013 at 23:03 UTC
Have you tried LWP::Authen::Ntlm? It seems like such a good fit. LWP::Authen::Ntlm uses Authen::NTLM, and neither should need to be explicitly included in the script, as the type of authentication is detected and the NTLM libraries are auto-included. Update: Except that it doesn't detect NTLM V1 vs V2, so Authen::NTLM does need to be explicitly included (see below).	[reply]
Re^3: NTLM authentication with IIS 6 by mrlizard123 (Novice) on Apr 17, 2013 at 01:18 UTC
LWP::Authen::Ntlm uses Authen::NTLM, and neither should need to be explicitly included, as the type of authentication is detected and the NTLM libraries are auto-included. If I do not explicitly use Authen:NTLM I get: `Undefined subroutine &main::ntlmv2` Whether I specify them or not in the suggestion by Khen1950fx I still get response code of '500' with content: `<html><head><title>Error</title></head><body>The function requested is + not supported </body></html>` [download]	[reply] [d/l] [select]
Re^4: NTLM authentication with IIS 6 by runrig (Abbot) on Apr 17, 2013 at 06:14 UTC
Re^4: NTLM authentication with IIS 6 by Anonymous Monk on Apr 17, 2013 at 02:22 UTC
Re^2: NTLM authentication with IIS 6 by mrlizard123 (Novice) on Apr 16, 2013 at 22:28 UTC
Yes I tried that and unfortunately getting this LWP::UserAgent::new: () LWP::UserAgent::request: () LWP::UserAgent::send_request: GET http://server:port/path/script.aspx LWP::UserAgent::_need_proxy: Not proxied LWP::Protocol::http::request: () LWP::Protocol::collect: read 808 bytes LWP::Protocol::collect: read 848 bytes LWP::Protocol::http::request: Keep the http connection to server:port LWP::UserAgent::request: Simple response: Unauthorized LWP::Authen::Ntlm::authenticate: authenticate() has been called LWP::Authen::Ntlm::authenticate: In first phase of NTLM authentication LWP::Authen::Ntlm::authenticate: Returning response object with auth h +eader: Authorization NTLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +XXXXXXXXXXXXXXXXX LWP::UserAgent::request: () LWP::UserAgent::send_request: GET http://server:port/path/script.aspx LWP::UserAgent::_need_proxy: Not proxied LWP::Protocol::http::request: () LWP::Protocol::collect: read 100 bytes LWP::UserAgent::request: Simple response: Internal Server Error Something's not right... ->500 [download] I changed the server/port/path and the Authorization NTLM but otherwise this is the output. The webserver server has a group policy applied which means I must use NTLMv2... Using an old version of Perl.. should probably have mentioned that; 5.6.1. Using the same credentials in a browser same url it works fine, on a server with the group policy disabled I don't have these problems either. (unfortunately disabling the policy is not an option...) I'd have pulled my hair out by now if I had any!	[reply] [d/l]
Re^3: NTLM authentication with IIS 6 by padrino (Initiate) on Apr 21, 2013 at 14:31 UTC
It's possible you are running into the same issue I am, in my case the policy is set on the server (NtlmMinClientSec) to 0x20080030.. In short it's 128-bit encryption, NTLMv2 session security, Message confidentiality, Message integrity. It's still v2 but with additional minimum NTLMSSP requirements that may or may not be implemented..	[reply]
Re: NTLM authentication with IIS 6 by jakeease (Friar) on Apr 17, 2013 at 06:02 UTC
Anything here that might apply? http://support.microsoft.com/kb/871179	[reply]


go ahead... be a heretic
	PerlMonks