SImple http client with NTLM proxy

[Guy Brandwine]

Hi .

Just went through a lot of problems trying to run a simple http request on a LAN that has an NTLM proxy ,

If I dont define a proxy I get a timeout , if I do define a proxy , more or less like that :

proxyUrl, err := url.Parse("http://myserver:myport")

client := &http.Client{Transport: &http.Transport{Proxy: http.ProxyURL(proxyUrl)}}

req, err := http.NewRequest("GET", "http://mysite.com", nil)

basic := "Basic " + base64.StdEncoding.EncodeToString([]byte("user:pw"))

           req.Header.Add("Authorization", basic) 

resp, err := client.Do(req)

I get 407 Proxy Authentication Required

Folowing wireshark , I found out that the browsers (proxy setting configured without any user/pw , just ip+Port) is getting the 407 and then starts negotiating NTLM , until is succeeds and display the content (the user does not know of the multi-steps , just sees the content as the final result) . 

I've read both gontlm  / go-ntlm and except from the Transport struct that may suggest a connection point to the http.client , I can't figure out how to use these packages (left the authors a message) in conjunction to http client/request  .

a sample of 6-10 lines like the snippet above would do the job .

    Thanks ,

         Guy .

[brainman]

On Wednesday, 4 February 2015 10:57:49 UTC+11, Guy Brandwine wrote:

> ... Folowing wireshark , I found out that the browsers (proxy setting configured without any user/pw , just ip+Port) is getting the 407 and then starts negotiating NTLM , until is succeeds and display the content (the user does not know of the multi-steps , just sees the content as the final result) . 

I suspect what is happening here is both browser and proxy use SSPI to pass user credentials (from browser to proxy). The API is designed in a such way that neither needs to provide any user attributes. Instead API discover user credentials from Windows and use them to generate NTLM messages that are passed back and forward until authentication is established.

> ... I've read both gontlm  / go-ntlm and except from the Transport struct that may suggest a connection point to the http.client , I can't figure out how to use these packages (left the authors a message) in conjunction to http client/request  .

I had quick look at these. Neither uses SSPI. So they must generate NTLM messages manually. Therefore you would have to supply domain/username/password to them. I know nothing else about these packages - so you would have to work out how to use them yourself.

I hope it helps a little.

Alex

[Guy brandwine]

Hi .

 

Thanks for the reply .

 

The computer using the browser is not on the domain, so its credentials will not aid - can SSPI do that if the computer is not on the AD ?

Moreover , when the packet finally succeeds I get a message containing NTLM inside , which made me suspect the protocol is using NTLM from the bedining .

 

                Guy .

--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/Ych42gA4K1Q/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[brainman]

On Wednesday, 4 February 2015 20:20:27 UTC+11, Guy Brandwine wrote:

> ... The computer using the browser is not on the domain, so its credentials will not aid - can SSPI do that if the computer is not on the AD ?

I don't know. I suspect it will do that anywhere. I am not sure what your proxy requires. But SSPI (once successfully authenticated) will allow it to change "current user" for its own thread with browser's "current user". Then it might call GetUserName (or any similar API) to determine who the browser's user is. Or it can run any other operation pretending to be browser's user.

> ... Moreover , when the packet finally succeeds I get a message containing NTLM inside , which made me suspect the protocol is using NTLM from the bedining .

SSPI supports different "providers". NTLM is one of them. When NTLM is used you will see 3 messages: challenge from the server, reply from the client and success or rejection from the server. I suspect these will be encoded into HTTP headers in your case.

Alex

[Guy brandwine]

Thanks again .

 

Well , I don’t seem to find an SSPI package for go as well .

I will try to look up at Dll's , but that’s for windows clients only .

 

                Guy .

--

[brainman]

On Wednesday, 4 February 2015 21:09:09 UTC+11, Guy Brandwine wrote:

> ... Well , I don’t seem to find an SSPI package for go as well .

I have not seen one either.

> ... I will try to look up at Dll's , but that’s for windows clients only .

Yes, SSPI it is by Microsoft. It is available on Windows only.

Alex

[brainman]

Recently I needed something similar: github.com/alexbrainman/sspi/ntlm. You might find it useful.

Alex