python NTLM implementation does not work if trying to access a web page which is provided by Windows 2008 Server R2 (64-Bit)

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Try to access an NTLM protected web page which is hosted on a Windows
2008 Server R2.

What is the expected output? What do you see instead?

The following error is thrown:

  File "C:\Python26\lib\urllib2.py", line 124, in urlopen
    return _opener.open(url, data, timeout)
  File "C:\Python26\lib\urllib2.py", line 395, in open
    response = meth(req, response)
  File "C:\Python26\lib\urllib2.py", line 508, in http_response
    'http', request, response, code, msg, hdrs)
  File "C:\Python26\lib\urllib2.py", line 427, in error
    result = self._call_chain(*args)
  File "C:\Python26\lib\urllib2.py", line 367, in _call_chain
    result = func(*args)
  File "C:\Python26\lib\ntlm\HTTPNtlmAuthHandler.py", line 96, in
http_error_401
    return self.http_error_authentication_required('www-authenticate', req,
fp, headers)
  File "C:\Python26\lib\ntlm\HTTPNtlmAuthHandler.py", line 35, in
http_error_authentication_required
    return self.retry_using_http_NTLM_auth(req, auth_header_field, None,
headers)
  File "C:\Python26\lib\ntlm\HTTPNtlmAuthHandler.py", line 69, in
retry_using_http_NTLM_auth
    (ServerChallenge, NegotiateFlags) =
ntlm.parse_NTLM_CHALLENGE_MESSAGE(auth_header_value[5:])
  File "C:\Python26\lib\ntlm\ntlm.py", line 224, in
parse_NTLM_CHALLENGE_MESSAGE
    msg2 = base64.decodestring(msg2)
  File "C:\Python26\lib\base64.py", line 321, in decodestring
    return binascii.a2b_base64(s)
Error: Incorrect padding

What version of the product are you using? On what operating system?

Python 2.6, python-ntlm build 28th of October 2009.

It seems that Microsoft has upgraded their NTLM protocoll according to this
(German) site from Microsoft:
http://technet.microsoft.com/de-de/library/dd560653%28WS.10%29.aspx
They also say that old windows versions might not well work together with
new servers...

Original issue reported on code.google.com by xaphi...@googlemail.com on 26 Jan 2010 at 4:25

[GoogleCodeExporter]

I agree that this doesn't work, until support for the new protocol is 
implemented (not 
planned).
You could try a work around: 
http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx

Original comment by Matthijs.Mullender on 27 Jan 2010 at 8:50

[GoogleCodeExporter]

I used gpedit.msc to disable the security policies as mentioned in
http://technet.microsoft.com/en-us/library/dd566199%28WS.10%29.aspx

Unfortunatelly this didn't help me. python.ntlm still breaks because of the 
above
mentioned runtime error. I tried to omit this by changing in file 'ntlm.py' the
following part:

def parse_NTLM_CHALLENGE_MESSAGE(msg2):
    ""
    msg2 = base64.decodestring(msg2)
    Signature = msg2[0:8]

to this:

def parse_NTLM_CHALLENGE_MESSAGE(msg2):
    ""
    pos = msg2.find(",")
    if pos > 0:
        msg2 = msg2[:pos]
    msg2 = base64.decodestring(msg2)
    Signature = msg2[0:8]

This solves the error, but unfortunatelly its doesn't solve the whole problem. 
I am
not an NTLM expert and have no detailed idea how the protocol works, but it 
seems
that my 'hotfix' leads to a sitution which breaks the protocol or Windows 2008
implements a slightly different handling of the protocol which is not 
compatible with
python-ntlm.

Do you have any further ideas how to solve this?

Original comment by xaphi...@googlemail.com on 27 Jan 2010 at 11:21

[GoogleCodeExporter]

I have a similar issue trying to access Sharepoint 2010 under Windows7x64:

File 
"/home/mat/.buildout/eggs/python_ntlm-1.0.1-py2.7.egg/ntlm/HTTPNtlmAuthHandler.p
y", line 101, in http_error_401
    return self.http_error_authentication_required('www-authenticate', req, fp, headers)
  File "/home/mat/.buildout/eggs/python_ntlm-1.0.1-py2.7.egg/ntlm/HTTPNtlmAuthHandler.py", line 35, in http_error_authentication_required
    return self.retry_using_http_NTLM_auth(req, auth_header_field, None, headers)
  File "/home/mat/.buildout/eggs/python_ntlm-1.0.1-py2.7.egg/ntlm/HTTPNtlmAuthHandler.py", line 71, in retry_using_http_NTLM_auth
    (ServerChallenge, NegotiateFlags) = ntlm.parse_NTLM_CHALLENGE_MESSAGE(auth_header_value[5:])
  File "/home/mat/.buildout/eggs/python_ntlm-1.0.1-py2.7.egg/ntlm/ntlm.py", line 217, in parse_NTLM_CHALLENGE_MESSAGE
    msg2 = base64.decodestring(msg2)
  File "/usr/lib/python2.7/base64.py", line 321, in decodestring
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

I can workaround this error with the following patch:

--- HTTPNtlmAuthHandler_old.py  2012-03-19 15:29:08.503699995 +0100
+++ HTTPNtlmAuthHandler.py      2012-03-19 15:30:22.459242446 +0100
@@ -66,6 +66,8 @@
                 headers['Cookie'] = r.getheader('set-cookie')
             r.fp = None # remove the reference to the socket, so that it can not be closed by the response object (we want to keep the socket open)
             auth_header_value = r.getheader(auth_header_field, None)
+            if ',' in auth_header_value:
+                auth_header_value, postfix = auth_header_value.split(',', 1)
             (ServerChallenge, NegotiateFlags) = ntlm.parse_NTLM_CHALLENGE_MESSAGE(auth_header_value[5:])
             user_parts = user.split('\\', 1)
             DomainName = user_parts[0].upper()

But this is just a quick and dirty hack since I have no understanding of the 
NTLM protocol. I don't know what this breaks on other places.

Is there a correct way of fixing this problem?

Original comment by matlehma...@gmail.com on 19 Mar 2012 at 2:33

[GoogleCodeExporter]

With the 'quick and dirty' hack above I end-up with:
  File "X:\lteenb-ctrl\tools\smartfrman\downloader\sfrman\mechanize\_mechanize.py", line 203, in open
    return self._mech_open(url, data, timeout=timeout)
  File "X:\lteenb-ctrl\tools\smartfrman\downloader\sfrman\mechanize\_mechanize.py", line 249, in _mech_open
    self._set_response(response, False)
  File "X:\lteenb-ctrl\tools\smartfrman\downloader\sfrman\mechanize\_mechanize.py", line 304, in _set_response
    response = _response.upgrade_response(response)
  File "X:\lteenb-ctrl\tools\smartfrman\downloader\sfrman\mechanize\_response.py", line 521, in upgrade_response
    response.fp, response.info(), response.geturl(), code, msg)
  File "X:\lteenb-ctrl\tools\smartfrman\downloader\sfrman\mechanize\_response.py", line 338, in __init__
    self._set_fp(fp)
  File "X:\lteenb-ctrl\tools\smartfrman\downloader\sfrman\mechanize\_response.py", line 353, in _set_fp
    self.__iter__ = self.fp.__iter__
AttributeError: HTTPResponse instance has no attribute '__iter__'

Any ideas?

Original comment by marskolt...@gmail.com on 17 May 2012 at 9:38

[GoogleCodeExporter]

The workaround from comment 3 works for me.

Original comment by bernt.br...@gmail.com on 25 Jul 2012 at 12:59

[GoogleCodeExporter]

quick and dirty hack (3) works for me too.

Original comment by rhai...@gmail.com on 29 Nov 2012 at 8:11

[GoogleCodeExporter]

I think that this has been fixed with r67.   Could someone please download the 
latest version and test?  If this is still a problem, would it be possible to 
attach a packet trace of the failure (as was helpfully provided with issue 8)?  
Thanks!

Original comment by samw...@gmail.com on 19 Feb 2013 at 12:51

[GoogleCodeExporter]

Hi !
I ran into the problem, using the pip version of python-ntlm, trying to connect 
to an exchange server. Google brought me on this page. I checked out the last 
version at this time (r89), and I can confirm the bug is fixed.
It would be nice to do a release or update the version in pip repo.
Thank you folks.

Original comment by deron...@gmail.com on 17 Jun 2013 at 3:03

[GoogleCodeExporter]

I think i managed to check out R90 build and install and i'm still having this 
issue on my system running centos 6.5 py2.6, connecting to a sharepoint 2010 
server.  Is there a quick n dirty guide to checking out building and 
installing?  I followed https://docs.python.org/2/install/ .   
I can 
'''
import ntlm
'''
I cannot 
'''
FROM ntlm import HTTPNtlmAuthHandler
'''
I Made sure to uninstall the pip version before building and installing.
Is there away to confirm the installed version is the one built from R90?

Original comment by ibigp...@gmail.com on 8 Apr 2014 at 5:12

[GoogleCodeExporter]

R90 is a minor fix that mostly replaces the string "NTLM_ttype1_FLAGS"
in the Python 3 version with "NTLM_TYPE1_FLAGS".  If that string isn't
in /trunk/python30/ntlm/ntlm.py then you are either running with the
latest version possibly or a version before that string was
introduced.

R89 changed "HTTPPasswordMgr()" to "urllib2.HTTPPasswordMgr()" in
/trunk/python26/ntlm/HTTPNtlmAuthHandler.py.

R88 removed an empty directory "/trunk/python26/python26" from the source tree.

I hope that this helps.

Original comment by samw...@gmail.com on 22 Apr 2014 at 12:58

[GoogleCodeExporter]

For me the bug is fixed. I think ibigp is referring to another problem. Could 
you Samwyse test and have the final word ?
Thanks

Original comment by deron...@gmail.com on 5 Jun 2014 at 8:52

[GoogleCodeExporter]

Made some tests and the problem does not reproduce.

Original comment by deron...@gmail.com on 26 Jun 2014 at 2:37

[GoogleCodeExporter]

Original comment by deron...@gmail.com on 2 Oct 2014 at 2:15

• Changed state: Fixed