GNOME Bugzilla – Bug 624613
NTLM fails; seems to be trying to use Basic auth.
Last modified: 2012-10-16 14:57:03 UTC
Created attachment 166070 [details] test program See attached test program. When I run it, it goes into an endless loop trying Basic authentication instead of NTLM -- unless I set $NTLM_ONLY in which case it dies with error 401. I'm implementing Exchange Web Services, so the URL I'm giving it is http://autodiscover.$COMPANY.com/autodiscover/autodiscover.xml Using the curl command line tool works fine. This is the Fedora 13 x86_64 libsoup-2.30.1
Created attachment 166071 [details] curl output This is the output from curl, which runs successfully.
Created attachment 166072 [details] souptest output And this is the output from the souptest program. If I don't set $NTLM_ONLY then it does the same, then goes into an endless loop of failing Basic auth.
Ah, setting NTLM_USER=$domain\\$username instead of just $username seems to make it work. If unspecified, it was using the domain of the server rather than leaving it empty as curl seems to. I'm not in the same domain as the server.
The infinite loop is because you're telling it to infinitely loop; libsoup will keep re-emitting "authenticate" until you stop authenticating the SoupAuth. So if you only have a single password, you should only call soup_auth_authenticate() when retrying==FALSE. It's been a long time since I wrote the NTLM code, and I don't remember why it fills in the default domain rather than leaving it blank. I feel like there were sites where leaving it blank caused it to fail though. Or maybe we do it that way because that's what IE does, or because it corresponds to what OWA requires? (If you log in to OWA do you have to include the domain?) The code I'm about to point you to in bug 587145 includes the ability to disable specific auth types, so you can disable fallback-to-Basic. Although you can also just check the scheme name from the authenticate handler and just ignore it if it's Basic, which will have more or less the same effect.
This *is* basically OWA. It's the SOAP interface to Exchange. It only works if I *don't* include the 'default domain', which seems to be the server's domain and not the domain that *my* user is in. I'd be inclined to suggest that we should copy what cURL does, which is not to include the domain.
Any update on this?
I guess we could toggle the behavior to "don't include the default domain" in unstable, and see if we get bug reports about that...
oh, and the aforementioned disable-Basic-auth code landed in libsoup a long time ago: soup_session_remove_feature_by_type (session, SOUP_TYPE_AUTH_BASIC);
ok, behavior flipped in git master... let's see if anyone notices