473,698 Members | 2,281 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

HttpWebRequest over Https Via Proxy Fails using NTLM

A C# (.NET 2) application which uses the System.Net.Http WebRequest object to
request a resource over HTTPS is failing following the installation of a new
proxy server on our internal network with 407 Proxy Authentication Required.

The same request through the old proxy succeeds.

The same request to an HTTP address through the new proxy succeeds.

Also, the request succeeds when forced to use Basic authentication but fails
on NTLM.

Tracing network packets when forcing the request to use NTLM reveals the
credentials passed up to the proxy are being corrupted so that they only show
the first character of the username, domain and hostname.

The network trace shows that the old proxy responds with HTTP1.1 and the new
one responds with HTTP1.0 - I'm not sure if this is significant.

The code used to perform the request can be seen below.

private void LoadResource(st ring URL)
{

HttpWebRequest wreq;
HttpWebResponse wresp;
CredentialCache credCache;

wresp = null;

try
{
// Force NTLM Authentication by removing all other authentication
modules...
AuthenticationM anager.Unregist er("Basic");
AuthenticationM anager.Unregist er("Kerberos") ;
//AuthenticationM anager.Unregist er("Ntlm");
AuthenticationM anager.Unregist er("Negotiate") ;
AuthenticationM anager.Unregist er("Digest");

wreq = (HttpWebRequest )WebRequest.Cre ate(URL);
wreq.Proxy = System.Net.WebP roxy.GetDefault Proxy();
wreq.Proxy.Cred entials = new CredentialCache ();

NetworkCredenti al cred = new NetworkCredenti al(txtUserName. Text,
txtPassword.Tex t, @"mydomain") ;

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Negotiate" , cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Ntlm", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Basic", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL),
"Basic", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL), "Ntlm",
cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL),
"Negotiate" , cred);

wresp = (HttpWebRespons e)wreq.GetRespo nse();
}
catch (Exception ex)
{
MessageBox.Show (ex.ToString()) ;
}
finally
{
if (wresp != null){wresp.Clo se();}
}

}

As the request succeeds on the old proxy I suspect that the challenge
response sent back from new proxy must be causing something different to
happen within the .net ntlm authentication module resulting in the corrupted
credentials being sent back to the proxy.

Is there any way to debug the ntlm authentication module to see exactly what
is going on during the request or can anyone give me an example of a custom
ntlm authentication module to try - I only seem able to find custom basic
authentication examples ?

Any help greatly appreciated...
Jun 27 '08 #1
2 8167
you should check the proxy authenication request headers to see which
authenication schemes it allows. it may only support basic. NT/LM requires
http 1.1 because it requires keep-alives.
-- bruce (sqlwork.com)
"Lenster" wrote:
A C# (.NET 2) application which uses the System.Net.Http WebRequest object to
request a resource over HTTPS is failing following the installation of a new
proxy server on our internal network with 407 Proxy Authentication Required.

The same request through the old proxy succeeds.

The same request to an HTTP address through the new proxy succeeds.

Also, the request succeeds when forced to use Basic authentication but fails
on NTLM.

Tracing network packets when forcing the request to use NTLM reveals the
credentials passed up to the proxy are being corrupted so that they only show
the first character of the username, domain and hostname.

The network trace shows that the old proxy responds with HTTP1.1 and the new
one responds with HTTP1.0 - I'm not sure if this is significant.

The code used to perform the request can be seen below.

private void LoadResource(st ring URL)
{

HttpWebRequest wreq;
HttpWebResponse wresp;
CredentialCache credCache;

wresp = null;

try
{
// Force NTLM Authentication by removing all other authentication
modules...
AuthenticationM anager.Unregist er("Basic");
AuthenticationM anager.Unregist er("Kerberos") ;
//AuthenticationM anager.Unregist er("Ntlm");
AuthenticationM anager.Unregist er("Negotiate") ;
AuthenticationM anager.Unregist er("Digest");

wreq = (HttpWebRequest )WebRequest.Cre ate(URL);
wreq.Proxy = System.Net.WebP roxy.GetDefault Proxy();
wreq.Proxy.Cred entials = new CredentialCache ();

NetworkCredenti al cred = new NetworkCredenti al(txtUserName. Text,
txtPassword.Tex t, @"mydomain") ;

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Negotiate" , cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Ntlm", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Basic", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL),
"Basic", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL), "Ntlm",
cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL),
"Negotiate" , cred);

wresp = (HttpWebRespons e)wreq.GetRespo nse();
}
catch (Exception ex)
{
MessageBox.Show (ex.ToString()) ;
}
finally
{
if (wresp != null){wresp.Clo se();}
}

}

As the request succeeds on the old proxy I suspect that the challenge
response sent back from new proxy must be causing something different to
happen within the .net ntlm authentication module resulting in the corrupted
credentials being sent back to the proxy.

Is there any way to debug the ntlm authentication module to see exactly what
is going on during the request or can anyone give me an example of a custom
ntlm authentication module to try - I only seem able to find custom basic
authentication examples ?

Any help greatly appreciated...
Jun 27 '08 #2
The proxy authentication header returns Basic, NTLM, and Negotiate.

I can force my application to only use basic and the request is successful but
when I force the application to use NTLM the problem occurrs.

Additionally, the problem only occurs when requesting an https address.
http addresses authenticate using NTLM no problem but obviously the
authentication handshake is diferent with http sending a GET whereas https
sends CONNECT etc.

A network trace shows that the https request handshake is as follows :

Client : Send CONNECT
Proxy : Send 407 Authentication Required (Basic, NTLM, Negotiate)
Client : Send CONNECT with NTLMS_NEGOTIATE
Proxy : Send 407 Authentication Required (NTLMSSP_CHALLE NGE)
Client : Send CONNECT with NTLMSSP_AUTH (At this point the credentials
appear corrupted - only first character of username, domain and hostname are
displayed in the trace)
Proxy : Send 407 Authentication Required (Due to invalid credentials)

I understand what you are saying about HTTP1.1 and keep alives but wouldn't
that also prevent the http requests failing over NTLM if that was a problem ?
"bruce barker" wrote:
you should check the proxy authenication request headers to see which
authenication schemes it allows. it may only support basic. NT/LM requires
http 1.1 because it requires keep-alives.
-- bruce (sqlwork.com)
"Lenster" wrote:
A C# (.NET 2) application which uses the System.Net.Http WebRequest object to
request a resource over HTTPS is failing following the installation of a new
proxy server on our internal network with 407 Proxy Authentication Required.

The same request through the old proxy succeeds.

The same request to an HTTP address through the new proxy succeeds.

Also, the request succeeds when forced to use Basic authentication but fails
on NTLM.

Tracing network packets when forcing the request to use NTLM reveals the
credentials passed up to the proxy are being corrupted so that they only show
the first character of the username, domain and hostname.

The network trace shows that the old proxy responds with HTTP1.1 and the new
one responds with HTTP1.0 - I'm not sure if this is significant.

The code used to perform the request can be seen below.

private void LoadResource(st ring URL)
{

HttpWebRequest wreq;
HttpWebResponse wresp;
CredentialCache credCache;

wresp = null;

try
{
// Force NTLM Authentication by removing all other authentication
modules...
AuthenticationM anager.Unregist er("Basic");
AuthenticationM anager.Unregist er("Kerberos") ;
//AuthenticationM anager.Unregist er("Ntlm");
AuthenticationM anager.Unregist er("Negotiate") ;
AuthenticationM anager.Unregist er("Digest");

wreq = (HttpWebRequest )WebRequest.Cre ate(URL);
wreq.Proxy = System.Net.WebP roxy.GetDefault Proxy();
wreq.Proxy.Cred entials = new CredentialCache ();

NetworkCredenti al cred = new NetworkCredenti al(txtUserName. Text,
txtPassword.Tex t, @"mydomain") ;

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Negotiate" , cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Ntlm", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new
Uri(((WebProxy) wreq.Proxy).Add ress.AbsoluteUr i), "Basic", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL),
"Basic", cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL), "Ntlm",
cred);

((CredentialCac he)wreq.Proxy.C redentials).Add (new Uri(URL),
"Negotiate" , cred);

wresp = (HttpWebRespons e)wreq.GetRespo nse();
}
catch (Exception ex)
{
MessageBox.Show (ex.ToString()) ;
}
finally
{
if (wresp != null){wresp.Clo se();}
}

}

As the request succeeds on the old proxy I suspect that the challenge
response sent back from new proxy must be causing something different to
happen within the .net ntlm authentication module resulting in the corrupted
credentials being sent back to the proxy.

Is there any way to debug the ntlm authentication module to see exactly what
is going on during the request or can anyone give me an example of a custom
ntlm authentication module to try - I only seem able to find custom basic
authentication examples ?

Any help greatly appreciated...
Jun 27 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
34992
by: Andre Bocchini | last post by:
I'm having some trouble using proxy authentication. I can't figure out how to authenticate with a Squid proxy. I know for a fact the proxy is using Basic instead of Digest for the authentication. I can authenticate just fine using Mozilla. I've done some Google searches, but the closest piece of code I've is is for HTTPBasicAuthHandler: # set up authentication info authinfo = urllib2.HTTPBasicAuthHandler()...
16
60606
by: Paul Sweeney | last post by:
Does anyone know of a working (python) https proxy which allows viewing of unencrypted data being sent from my browser to an https site? I've worked my way through most on the list at http://xhaus.com/alan/python/proxies.html, but while many claim to support https, if you actually point your browser at the proxies, they work fine for http, but not for https pages. TIA
1
12299
by: Imran Aziz | last post by:
Hello All, I am using HttpWebRequest to fetch webpages in my ASP.net C# application. The request works fine without the proxy, but on using the code from within a network that uses proxy the request does not work. I tried to use the MS code to get around it, but having problems using it. The first thing is that the this conversion myProxy=(WebProxy)myWebRequest.Proxy; does not work, and I get an error of cannot convert...
0
2433
by: Erik Fjelldal | last post by:
Hello everybody I am making a function sending SMS, to send SMS we subscribe for a service from the norwegian telephone company Netcom To send these messages we send a HttpWebRequest over internet. The function work well when I am sending from my home without proxy, but when I take the computer inside the company I get problem with the proxy, the error message is "The remote server returned an error: (504) Gateway Timeout."
2
27171
by: Arti | last post by:
Hi, I am trying to access a servlet hosted on Tomcat server using HTTPS Post protocol. I am getting the exception: "The underlying connection was closed: Could not establish trust relationship with remote server". Below is the code snippet. The same worked fine for HTTP POST. Then when I configured the Tomcat server ffor HTTPS, and modified the code by just changing the protocol from http to https. What more is to be
6
7811
by: nganapat | last post by:
I am trying to post form values to a https web page programmatically using Httpwebrequest but no matter what I do the same login page is returned instead of the next page. I would very much appreciate if someone could show me what is it that I am doing wrong. Below is the code that I am using. string viewstate = HttpUtility.UrlEncode(viewstatevalue); StringBuilder data = new StringBuilder(); data.Append("VAM_Group=");...
4
9644
by: retroviz | last post by:
Hi there. I have written a screen scraping application (both web based and windows forms) in vb.net. When testing on a public broadband link it works fine. However it fails at work due to our proxy server. To authenticate in the asp version, I just added: <defaultProxy useDefaultCredentials="true"> to my web.config - this works fine. However, I need to integrate this with an existing windows form app (vb6) so need to get the...
0
1232
by: Devraj | last post by:
Hi Everyone, I have successfully used the ConnectHTTPSHandler class published at http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/456195 to handle HTTPS proxy connections. Has anyone implemented a Basic authentication handler for ConnectHTTPSHandler? Or can I use urllib2 to handle the authentication? If someone can share their code/suggestions it would be greatly
0
5005
by: pac1250 | last post by:
Hi, I am searching how to solve a problem and I dont find it :( I want to access a page from a script behind a proxy : (my script) <-(a proxy with authentification) <-(https serveur with authentification) -----------------------------------------------------------------
0
9161
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9029
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8897
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8867
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6522
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4370
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4619
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
2332
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2006
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.