36

I work on a corporate windows network (which I log in to) with a HTTP proxy. When I use Internet Explorer it magically uses the proxy without me needing to type in my password. Certain other programs seem to manage this too, like JavaWebStart has a "use browser settings" option.

However when I use scripts/programs like curl or wget to fetch stuff from http, or do it within my Java code I seem to need to have my password stored somewhere, which obviously isn't best for security.

How can I get the password-less access that internet explorer has in a programmatic way?

I'm arguing this is a stack overflow question because I'm a programmer and I need my programs/scripts to work without typing in the password, though I can see that others might think it belongs on Server Fault/Superuser.

I know about settings like --proxy-ntlm in curl, but this still requires an ntlm username and password.

Nick Fortescue
  • 40,193
  • 23
  • 99
  • 131
  • 1
    I even registered here finally in order to thank you for this great post. Thank you! It would be good if OP-only threads disappear forever... I hate them. Actually, I was looking for libcurl information, not curl util, but your SSPI-hint gave me the right direction. For those who are interested in how to enable NTLM auth with SSPI in your app: 1) Download libcurl sources 2) Open .dsw file as usual 3) Add USE_WINDOWS_SSPI macro to your preprocessor definitions in project settings for 'libcurl' 3) Build solution Then, in the program, you can set just empty user credentials with CURLAUTH_NTLM in – andrew_d Feb 08 '11 at 12:52

3 Answers3

48

In the absence of an answer from someone else here is what I have discovered, I hope it is useful for someone else.

Executive Summary:

  1. Download SSPI enabled curl from http://curl.haxx.se/latest.cgi?curl=win32-ssl changing to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5).
  2. Install Windows Open-SSL from http://www.slproweb.com/products/Win32OpenSSL.html and make a donation to support his bandwidth cost.
  3. Install the Visual C++ 2008 redistributables if you need them.
  4. Use curl to fetch the page: curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com

More detailed explanation

The magic phrase for authentication using the Windows login mechanism is SSPI. This gives a good google search phrase. I still haven't found a good way of using SSPI for HTTP proxy authentication in java or wget though.

However, curl (the download tool) does support SSPI but only in certain builds. Unfortunately the default cygwin build is not one of them. You can find out if your build of curl supports SSPI by getting the verbose version information:

curl -v -V

If SSPI is supported it will be mentioned in the features line.

To get a windows version that supported SSPI I had to go to http://curl.haxx.se/latest.cgi?curl=win32-ssl and then change the download choice to Windows, zip, SSL-enabled, SSPI-enabled (7.19.5). By the time you read this the version number may have changed.

This then silently failed from the command line. When I ran from windows explorer I got a message about a missing libeay32.dll. One way of getting this from windows is from the only link at openssl.org to a windows version. The producer of this requests a donation to cover bandwidth costs. Another way would be to build your own from source.

And after all that curl worked with the following command line:

curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com

The -U : configures no password, the other commandline options set up the proxy. You'll probably have to change your proxy and port settings.

This would all be much easier if only cygwin's curl release supported SSPI. I'm going to go put in a request for that now.

psubsee2003
  • 8,115
  • 8
  • 58
  • 76
Nick Fortescue
  • 40,193
  • 23
  • 99
  • 131
  • 1
    Aha! The key for me was the `-U :` option. – Greg Hewgill Feb 20 '11 at 21:49
  • 1
    @NickFortescue: Do you happen to know any utility, that can act as local proxy and can authenticate itself to corporate proxy via NTLM? (thus allowing local utilities that do not support it to use internet transparently without authentication)? Thanks – dma_k Feb 06 '12 at 11:44
  • 1
    +1 for the hint to use `-u :` to use the logged in user's credentials with NTLM. – wilx Jun 05 '13 at 16:41
  • Thanks this helped a lot !! – Telson Alva Jun 11 '13 at 23:52
  • FWIW, ntlmaps is very good also http://ntlmaps.sourceforge.net/. It hasn't been updated in a while, but it's easier to config than CNTLM and doesn't require admin rights to install. CNTLM claims that it is more efficient than ntlmaps, but I haven't found any of them to be a resource hog – Juancentro Dec 18 '13 at 23:12
  • It seems quite hard to find an SSPI enabled curl download now. None of the standard ones (latest releases) on the curl website work. However, if you go to old releases => archeology, you will find one release with sspi in the name. I confirmed this one works. https://curl.haxx.se/download/archeology/curl-7.33.0-win64-ssl-sspi.zip – Pieter-Jan Busschaert Sep 22 '16 at 11:21
7

Please note my edit contains an inaccurate assumption about -U and -u. I have submitted a correction, but in the interim note:

curl -U = Authentication to a proxy
curl -u = Authentication to a server

Therefore, the first command should be:

curl.exe -U : --proxy-ntlm --proxy myproxy.com:8080 http://www.google.com

and the second one, in the example for transparent NTLM:

curl -v -u : --ntlm [the redirection URL from Location: header]

Sorry about that!

macartm
  • 73
  • 1
  • 3
  • so you are saying the edit you made to the currently accepted answer was wrong? – psubsee2003 Oct 19 '12 at 19:55
  • Well, yes, and I submitted a second correction to it but it seems to have got stuck or lost somewhere ... :/ It also seems there is a more complex reason behind the behaviour I was seeing. What I ought to do is remove my bit, and add in an expanded answer as to why you have to do what I did sometimes ... I'll get round to that in the next few days. – macartm Nov 04 '12 at 22:32
  • 1
    the edit was rejected actually... typically edits to code or edits that significantly change answers are rejected (your edit did both). The appropriate action if you see a wrong answer is to leave a comment explaining why you think it is wrong. If the answer poster agrees, he/she will change it. I will roll back your original edit – psubsee2003 Nov 05 '12 at 09:58
3

Might be a bit late but wanted to mention this nonetheless. The original question is generically asking about NTLM proxy auth without passwords on Windows where user has already logged in. No doubt curl can do this but I wanted to give another option.

NTLMAps and Cntlm are proxies that do the NTLM auth as an intermediary proxy. However, they both require the user/pass since they are mostly targeted towards Linux users. I historically used these tools on Windows but was annoyed by the same requirement of having to provide the credentials to them.

As a result, I've authored Px for Windows which is an HTTP proxy like the above two, but uses SSPI to manage the required authentication with the corporate proxy. All you need to configure is the proxy server and port. It helps for existing applications that cannot talk through NTLM proxies such as pip and npm for example.

For developing your own apps, the code should also help figure out how to do this within Python and perhaps languages which have access to SSPI.

genotrance
  • 353
  • 2
  • 5
  • Please note that CNTLM has a version with SSPI support, see https://github.com/Evengard/cntlm – parasietje Mar 22 '18 at 12:20
  • That's good to know, no official updates on cNTLM since 2012 so nice to see someone picking it up. Wish they had posted a binary build to make it easier to try out. – genotrance Mar 23 '18 at 18:06
  • The cntlm build referenced above [seems to be broken in modern linux versions (since 2016)](https://github.com/Evengard/cntlm/issues/11 "The cntlm build referenced above seems to be broken in modern linux versions") – Mike Pennington Jun 22 '18 at 17:57