search

Azure / go-ntlmssp

NTLM/Negotiate authentication over HTTP
MIT License
189 stars 70 forks source link

Only the first Www-Authenticate header is checked #21

Closed ncsurfus closed 2 years ago

ncsurfus commented 5 years ago

If the first Www-Authenticate header is not Basic, NTLM, or Negotiate then this will fail as the referenced code in the link below only gets the first Www-Authenticate header. This also means that if the server offers [Negotiate, NTLM] and the server's implementation of Negotiate only supports Kerberos (it will not fallback to NTLM), then this will fail since only Negotiate is attempted... even though NTLM is offered.

https://github.com/Azure/go-ntlmssp/blob/master/negotiator.go#L63

blaskovicz commented 5 years ago

I've run into this as well in the following scenario (which is handled correctly by curl --ntlm ...):

< WWW-Authenticate: Negotiate
< WWW-Authenticate: NTLM
ncsurfus commented 5 years ago

@blaskovicz Here was a quick work-around I did. It's mostly a copy and paste of negotiator.go with just enough changes to make things work in my scenario.

https://gist.github.com/ncsurfus/fbb806a9c7657ae099dd3636897b8d55

blaskovicz commented 5 years ago

Thanks ill give it a try

blaskovicz commented 5 years ago

@ncsurfus that didn't work unfortunately.

I threw it in the debugger and it gets to rt.RoundTrip(...) after ntlmssp.ProcessChallenge(...) which is returning a 401 response.

blaskovicz commented 5 years ago

my second issue may be related to #15. Are you using https or http?

ncsurfus commented 5 years ago

@blaskovicz I'm using https. Some NTLM servers may require channel binding, which I believe is not supported by this library. Channel binding helps validate that the TLS session is not being MITM. With that said I'm no NTLM expert.

blaskovicz commented 5 years ago

@ncsurfus I don't exactly know why, but https://github.com/vadimi/go-http-ntlm solves my scenario. I've spent a good chunk of time debugging this, and, as I'm no NTLM expert nor care to be, will leave it at that for now until someone else is interested in solving this problem.

In any case, thanks for the help, just wanted to throw in my 2cents in case someone else has issues.

Resousse commented 2 years ago

Hello, Same here, two headers www-authenticate are in the response, infortunately the ntlm is in the second one…

Possible to include a trick like in @ncsurfus gist? Thanks 😇

Resousse commented 2 years ago

Forgive my impatience, I've just submit a PR for this change : https://github.com/Azure/go-ntlmssp/pull/31 I'm looking forward for the merge :)

paulmey commented 2 years ago

This should be fixed in #31