Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: How to use TIdHTTP with NTLM?


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 5 - Last Post: Feb 28, 2017 12:35 PM Last Post By: Remy Lebeau (Te... Threads: [ Previous | Next ]
Michael Morelli

Posts: 6
Registered: 6/26/14
How to use TIdHTTP with NTLM?  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 20, 2017 2:16 AM
Hi Folks,

I have searched the web for getting a soltion, how to Setup TIdHttp with NTLM.
Has anyone a solution how to do this?

I get the http-error 407 'Auth. required'.

What do I have to implement in the Events: IdHTTP1ProxyAuthorization and IdHTTP1SelectProxyAuthorization?

Thanks for your help!

Cheers,
Mike
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to use TIdHTTP with NTLM?  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 21, 2017 9:28 AM   in response to: Michael Morelli in response to: Michael Morelli
Michael wrote:

I have searched the web for getting a soltion, how to Setup
TIdHttp with NTLM. Has anyone a solution how to do this?

Do you have an #include statement for IdAuthenticationNTLM.hpp or IdAuthenticationSSPI.hpp
in your code?

I get the http-error 407 'Auth. required'.

That means a proxy is asking for authentication.

What do I have to implement in the Events: IdHTTP1ProxyAuthorization
and IdHTTP1SelectProxyAuthorization?

Ideally, under normal conditions, you should not need to use the OnSelectProxyAuthorization
event. However, it is provided if you need to customize which TIdAuthentication
class is used to handle authentication. Upon entry, the AuthenticationClass
parameter contains TIdHTTP's default choice, based on the proxy's WWW-Authenticate
headers and the available registered TIdAuthentication classes. You can
set the AuthenticationClass parameter to another class type if needed.

As for OnProxyAuthorization, that event is fired when authentication has
already been attempted and the proxy continues to ask for authentication.
Which means the proxy is rejecting the credentials you are providing. Are
you sure you are providing the correct credentials?

--
Remy Lebeau (TeamB)
Michael Morelli

Posts: 6
Registered: 6/26/14
Re: How to use TIdHTTP with NTLM?  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 27, 2017 4:39 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Hi Remy,

thanks for your help.
Yes I have included the IdAuthenticationNTLM.hpp.
What is the IdAuthenticationSSPI.hpp include for?

Ok so basically I have not to set the AuthenticationClass -Type in the OnSelectProxyAuthorization Event, right?
Because Indy automatically detects the usage of NTLM?

And I also do not have to impl. the OnProxyAuthorization-Event because it is only fired when for example the credentials are wrong.

So actually it should run when I simply set the Options of the TIdHttp component like:

IdHTTP1->ProxyParams->BasicAuthentication = false;
IdHTTP1->ProxyParams->ProxyServer = proxyAddress;
IdHTTP1->ProxyParams->ProxyPort = port;

IdHTTP1->ProxyParams->ProxyUsername = userName;
IdHTTP1->ProxyParams->ProxyPassword = pw;

IdHTTP1->Request->BasicAuthentication = true;

So do I have to set the ProxyParams->BasicAuthentication to true or false?

Thanks for your help!

Cheers,
Mike
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to use TIdHTTP with NTLM?  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 27, 2017 12:52 PM   in response to: Michael Morelli in response to: Michael Morelli
Michael wrote:

Yes I have included the IdAuthenticationNTLM.hpp.
What is the IdAuthenticationSSPI.hpp include for?

A different kind of NTLM implementation.

TIdNTLMAuthentication is a manual implementation of the NTLM protocol and
should (in theory) by cross-platform (well, on platforms that are using
OpenSSL, anyway).

TIdSSPIAuthentication implements NTLM using Microsoft's SSPI API instead,
and so is Windows-specific.

Ok so basically I have not to set the AuthenticationClass -Type in the
OnSelectProxyAuthorization Event, right?

You can if you need to. For example:

void __fastcall OnSelectProxyAuthorization(TObject *Sender, TIdAuthenticationClass 
&AuthenticationClass, TIdHeaderList *AuthInfo)
{
    for (int i = 0; i < AuthInfo->Count; ++i)
    {
        String S = AuthInfo->Strings[i];
        if (Fetch(S) == L"NTLM")
        {
            AuthenticationClass = __classid(TIdNTLMAuthentication);
            return;
        }
    }
}


Because Indy automatically detects the usage of NTLM?

It can, yes. On the other hand, if the Proxy supports multiple authentication
schemes, and you have them enabled in TIdHTTP, it might decide to use a
different scheme than NTLM. So code like above can be used to give NTLM
higher priority, for instance.

Alternatively, if you know the proxy supports NTLM, and that is what you
want to use, then you don't need to use the OnSelectProxyAuthorization event
at all. You can set the ProxyParams->Authentication property instead:

IdHTTP1->ProxyParams->Authentication = new TIdNTLMAuthentication();
IdHTTP1->ProxyParams->BasicAuthentication = false;
...


And I also do not have to impl. the OnProxyAuthorization-Event because
it is only fired when for example the credentials are wrong.

That is exactly why you should implement it, so you can supply new credentials
if needed, such as by prompting the user. But, if your software is automated,
and you only want to use credentials that are in your configuration, then
yes, you can ignore the OnProxyAuthorization event.

So do I have to set the ProxyParams->BasicAuthentication to true or
false?

BasicAuthentication controls whether TIdHTTP is allowed to fallback to the
BASIC authentication scheme, which is not secure except over an SSL/TLS connection
as it transmits credentials in plain text that is easy to decypher.

--
Remy Lebeau (TeamB)
Michael Morelli

Posts: 6
Registered: 6/26/14
Re: How to use TIdHTTP with NTLM?  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 28, 2017 8:08 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Thx a lot for the Explanation.
but it does not work with just Setting:

IdHTTP1->ProxyParams->Authentication = new TIdNTLMAuthentication();
IdHTTP1->ProxyParams->BasicAuthentication = false;

IdHTTP1->ProxyParams->ProxyServer = EdtProxyAddress->Text;
IdHTTP1->ProxyParams->ProxyPort = EdtProxyPort->Text.ToIntDef(0);

IdHTTP1->ProxyParams->ProxyUsername = EdtUsername->Text;
IdHTTP1->ProxyParams->ProxyPassword = EdtPW->Text;

After IdHTTP1->Get (request, resultStream),
the IdHTTP1->Response->ResponseText is still: HTTP/1.0 407 Proxy Authentication Required
And the IdHTTP1->Response->RawHeaders->Text is:
[Server: squid/3.1.6
Mime-Version: 1.0
Date: Tue, 28 Feb 2017 14:06:25 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3641
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: NTLM
X-Cache: MISS from localhost
X-Cache-Lookup: NONE from localhost:****
Proxy-Connection: close]

What am I doing wrong? This is a NTLM-Proxy...

Thanks for your help!
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to use TIdHTTP with NTLM?  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 28, 2017 12:35 PM   in response to: Michael Morelli in response to: Michael Morelli
Michael wrote:

What am I doing wrong?

Nothing. More likely the proxy is simply rejecting your credentials, either
because they are wrong to begin with, or maybe TIdNTLMAuthentication has
an encoding bug. I don't know, and I have no way to test/verify it.

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02