Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Fix NTLM Proxy authentication issues. #387

Open
wants to merge 1 commit into from

2 participants

@haroldteramoto

I found two issues when authenticating against NTLM Proxy on Mac OSX. I am testing AsiHttpRequest with Microsoft Forefront TMG server as the proxy.

Issue 1) Http request's user credential is used for proxy credential.

For most use cases, user will have proxy credential stored in the keychain.
Look for credential in keychain first, then use the http request credential.

Issue 2) From wireshark network traces, calling startRequest twice does not
actually send the NTLM proxy auth challenge response. The third startRequest
will send the auth challenge response and get past the proxy authentication.

There must be a different root cause for not responding for the NTLM auth challenge with the original code. By making the 3rd startRequest call, I can workaround this issue, however.

Harold Teramoto Fix NTLM Proxy authentication issues.
Issue 1) Http request's user credential is used for proxy credential.
For most use cases, user will have proxy credential stored in the keychain.
Look for credential in keychain first, then use the http request credential.

Issue 2) From wireshark network traces, calling startRequest twice does not
actually send the NTLM proxy auth challenge response.  The third startRequest
will send the auth challenge response and get past the proxy authentication.
695d6f1
@ShiQiao
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 12, 2014
  1. Fix NTLM Proxy authentication issues.

    Harold Teramoto authored
    Issue 1) Http request's user credential is used for proxy credential.
    For most use cases, user will have proxy credential stored in the keychain.
    Look for credential in keychain first, then use the http request credential.
    
    Issue 2) From wireshark network traces, calling startRequest twice does not
    actually send the NTLM proxy auth challenge response.  The third startRequest
    will send the auth challenge response and get past the proxy authentication.
This page is out of date. Refresh to see the latest.
Showing with 12 additions and 10 deletions.
  1. +12 −10 Classes/ASIHTTPRequest.m
View
22 Classes/ASIHTTPRequest.m
@@ -2476,14 +2476,6 @@ - (NSMutableDictionary *)findProxyCredentials
user = [self proxyUsername];
pass = [self proxyPassword];
}
-
- // When we connect to a website using NTLM via a proxy, we will use the main credentials
- if ((!user || !pass) && [self proxyAuthenticationScheme] == (NSString *)kCFHTTPAuthenticationSchemeNTLM) {
- user = [self username];
- pass = [self password];
- }
-
-
// Ok, that didn't work, let's try the keychain
// For authenticating proxies, we'll look in the keychain regardless of the value of useKeychainPersistence
@@ -2496,6 +2488,13 @@ - (NSMutableDictionary *)findProxyCredentials
}
+ // If proxy credential is still not available and when we connect to a website using NTLM via a proxy,
+ // we will use the main credentials
+ if ((!user || !pass) && [self proxyAuthenticationScheme] == (NSString *)kCFHTTPAuthenticationSchemeNTLM) {
+ user = [self username];
+ pass = [self password];
+ }
+
// Handle NTLM, which requires a domain to be set too
if (CFHTTPAuthenticationRequiresAccountDomain(proxyAuthentication)) {
@@ -2843,12 +2842,15 @@ - (void)attemptToApplyProxyCredentialsAndResume
if (proxyCredentials) {
+ // From wireshark logs, proxy auth challenge is not responded by calling startRequest twice.
+ // Needed a third call to get the auth challenge response sent.
+
// We use startRequest rather than starting all over again in load request because NTLM requires we reuse the request
- if ((([self proxyAuthenticationScheme] != (NSString *)kCFHTTPAuthenticationSchemeNTLM) || [self proxyAuthenticationRetryCount] < 2) && [self applyProxyCredentials:proxyCredentials]) {
+ if ((([self proxyAuthenticationScheme] != (NSString *)kCFHTTPAuthenticationSchemeNTLM) || [self proxyAuthenticationRetryCount] < 3) && [self applyProxyCredentials:proxyCredentials]) {
[self startRequest];
// We've failed NTLM authentication twice, we should assume our credentials are wrong
- } else if ([self proxyAuthenticationScheme] == (NSString *)kCFHTTPAuthenticationSchemeNTLM && [self proxyAuthenticationRetryCount] == 2) {
+ } else if ([self proxyAuthenticationScheme] == (NSString *)kCFHTTPAuthenticationSchemeNTLM && [self proxyAuthenticationRetryCount] == 3) {
[self failWithError:ASIAuthenticationError];
// Something went wrong, we'll have to give up
Something went wrong with that request. Please try again.