Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
NTLM 401 on HTTPS IIS endpoints #3280
NTLM fails consistently on Windows when targeting https endpoint that are WIA protected. This only happens when "Extended Protection" is set to Accept or Require in the IIS server (Accept is the default). The same endpoint work correct when plain http is in use.
I did this
I expected the following
A 200 response from the server. Again everything works fine with plain HTTP
I have tried curl 7.62, 7.55.1 and 7.57.
[curl -V output]
Failing behaviour is consistent on Windows 7,8,10.
These windows builds are built with SSPI enabled, meaning they use native windows function calls for the NTLM magic. That makes this a very windows-specific issue and requires someone to debug this on windows. It would be interesting to learn if someone would try this with a windows-build without SSPI and see if that makes it work.
NTLM debugging is challenging...
I've just tried with curl 7.59 without the SSPI and everything work as expected. Looks like something is failing only when the SSPI is used
After looking deeper to the problem I can see why curl with the SSPI is failing. The problem is the Windows Extended Protection (aka channel binding).
A solution would be to:
I would be to patch and test it with some guidance from someone more experienced with libcurl.