[Solved] Proxy authentication issue

solitone · wrote on 21 Sept 2012, 16:50

I'm struggling with downloading a simple web page with QNetworkAccessManager. I encounter a proxy authentication issue which I can't overcome.

Here's a snippet of my code:

@void Window::download()
{
QNetworkAccessManager manager = new QNetworkAccessManager(this);
connect(manager, SIGNAL(finished(QNetworkReply)), this, SLOT(replyFinished(QNetworkReply*)));

QNetworkProxy proxy(QNetworkProxy::HttpProxy, "my_proxy_host", 8080, "MY_DOMAIN//my_user", "my_password");

manager->setProxy(proxy);
manager->get(QNetworkRequest(QUrl("http://www.google.com")));
}@

I've sniffed the HTTP traffic with Wireshark, and here's what it's logged:

@[truncated] Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAAAAAFQAAADaANoAVAAAABQAFABAAAAAAAAAAFQAAAAAAAAAVAAAAAAAAAAAAAAAAQIAAEYARQBSAFIARQBSAE8ATgBFAFQAe63Ac4fenpjEZxAU3IlPgQEBAAAAAAAAgHLoLSaYzQE5Y2NiYTU0YQAAAAACABQARgBFAFIAUgBFAFIATwBOAEUAV
NTLM Secure Service Provider
NTLMSSP identifier: NTLMSSP
NTLM Message Type: NTLMSSP_AUTH (0x00000003)
Lan Manager Response: Empty
NTLM Response: 7badc07387de9e98c4671014dc894f810101000000000000...
NTLM Client Challenge: 3963636261353461
Domain name: MY_DOMAIN
User name: NULL
Host name: NULL
Session Key: Empty
Flags: 0x00000201
@

The issue seems to be username remains NULL, even though I specified a value for it in QNetworkProxy constructor. I presume the password is blank as well.

As you see, NTLM authentication is involved in my scenario. I suspect it's NTLM v2 and something is wrong with QT and NTLM v2. Not sure though, as I don't have access to the proxy server and I cannot verify whether it uses v2 indeed.

Do you have any information / suggestion on this issue? Thanks!

hardcodes.de · wrote on 21 Sept 2012, 20:00

Maybe you could use nmap to detect what kind of system your proxy is?
Since it doesn't use Kerberos I hope that you have NTLMv2 at least.

This might help with the "internals of the protocol":http://msdn.microsoft.com/en-us/library/dd925287(v=office.12).aspx.

As you can read "here":http://social.msdn.microsoft.com/Forums/en-US/os_interopscenarios/thread/c8f488ed-1b96-4e06-bd65-390aa41138d1, the client walks from the most secure protocol to the weakest.

Sorry, I can't help you with the Qt details but it may help others to help you if they knew what system and protocol is used here.

solitone · wrote on 24 Sept 2012, 09:45

[quote author="hardcodes.de" date="1348257625"]Maybe you could use nmap to detect what kind of system your proxy is?[/quote]

Here's what I find nmapping my proxy server. I reckon I don't get much detail for port 8080 (where my proxy server listens) as again it requires authentication:

@# nmap -T4 -A -v my_proxy_host

Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-24 10:59
[...]
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
[...]
80/tcp open http CacheFlow http cache
|_http-title: Access Denied
|_http-methods: No Allow or Public header in OPTIONS response (status code 407)
[...]
8080/tcp open http CacheFlow http cache
|_http-title: Access Denied
|_http-methods: No Allow or Public header in OPTIONS response (status code 407)
8081/tcp open http Blue Coat SG210 http proxy config
|http-title: Site doesn't have a title (text/plain; charset=utf-8).
| http-auth:
| HTTP/1.1 401 Authentication Required
| Basic realm=10.11.21.160
[...]@

Is there a more specific way to run nmap and get some further information?

solitone · wrote on 24 Sept 2012, 09:57

I see several reports on proxy authentication issues--e.g.

Do you think the problem I'm facing could be related to something similar?

hardcodes.de · wrote on 24 Sept 2012, 15:40

As I said, I can not help you with Qt itself just with the discovery of NTLM. I'd say you've got a BlueCoat (= Proxy appliance) - you could try a "nmap -O -sS -sV my_proxy_host" to get more details. Chances are high that it uses NTLM. If you use Internet Explorer via this proxy and must not enter your credentials NTLM is used.

Then you try to use different user name notations:

USERNAME
DOMAIN\USERNAME
USERNAME@FULL.DOMAIN.NAME

solitone · wrote on 24 Sept 2012, 16:20

OK, done it!

I eventually found out I cannot directly pass username/password to QNetworkProxy() constructor. I need to take advantage of proxyAuthenticationRequired() signal.

Here's how I changed my code:

@void Window::download()
{
QNetworkAccessManager *manager = new QNetworkAccessManager(this);
QNetworkProxy proxy(QNetworkProxy::HttpCachingProxy, "my_proxy_host", 8080);

connect(manager, SIGNAL(finished(QNetworkReply*)), this, SLOT(replyFinished(QNetworkReply*)));
connect(manager, SIGNAL(proxyAuthenticationRequired(const QNetworkProxy&, QAuthenticator*)), this, SLOT(onProxyAuthenticationRequired(const QNetworkProxy&, QAuthenticator*)));

manager->setProxy(proxy);
manager->get(QNetworkRequest(QUrl("http://www.gnu.org/")));
}

void Window::onProxyAuthenticationRequired(const QNetworkProxy &prox, QAuthenticator *auth)
{
auth->setUser("my_user");
auth->setPassword("my_password");
}@

As you can see, now I no longer pass username and password to QNetworkProxy constructor, but I manage authentication data inside onProxyAuthenticationRequired() slot.

This way, my username is correctly passed to the proxy server, as a WireShark's capture showed.

I've tested proxy types QNetworkProxy::HttpProxy and QNetworkProxy::HttpCachingProxy and, in my landscape, they both work.

hardcodes.de · wrote on 24 Sept 2012, 16:52

Allthough I could not really help you here, I'm happy you got a solution!
Please write a [solved] into the header of your first post, I think many people stumble upon proxy authentication and would be happy to find a solution :-D

solitone · wrote on 25 Sept 2012, 08:51

[quote author="hardcodes.de" date="1348501241"]I'd say you've got a BlueCoat (= Proxy appliance) - you could try a "nmap -O -sS -sV my_proxy_host" to get more details.[/quote]

For future reference, here's what I find running nmap with these other options:

@# nmap -O -sS -sV my_proxy_host

Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-25 10:20
Host is up (0.0017s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Blue Coat ftpd
22/tcp open ssh OpenSSH 5.6 (protocol 2.0)
80/tcp open http CacheFlow http cache
161/tcp open snmp?
554/tcp open rtsp?
1755/tcp open wms?
8080/tcp open http CacheFlow http cache
8081/tcp open http Blue Coat SG210 http proxy config
8082/tcp open ssl/http Blue Coat SG210 http proxy config
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port554-TCP:V=6.01%I=7%D=9/25%Time=5061696A%P=i686-pc-windows-windows%r
SF:(HTTPOptions,C2,"RTSP/1.0\x20200\x20OK\r\nServer:\x20RealServer\x20Ver
SF:sion\x208.0.1.367\x20(win32)\r\nPublic:\x20OPTIONS,\x20DESCRIBE,\x
SF:20SETUP,\x20PLAY,\x20PAUSE,\x20SET_PARAMETER,\x20TEARDOWN\r\nStatsMask:
SF:\x207\r\nSession:\x2062aed6c439b105cdd361540d3a41aaf5\r\n\r\n")%r(SIPOp
SF:tions,CC,"RTSP/1.0\x20200\x20OK\r\nCSeq:\x2042\r\nServer:\x20RealServe
SF:r\x20Version\x208.0.1.367\x20(win32)\r\nPublic:\x20OPTIONS,\x20DES
SF:CRIBE,\x20SETUP,\x20PLAY,\x20PAUSE,\x20SET_PARAMETER,\x20TEARDOWN\r\nSt
SF:atsMask:\x207\r\nSession:\x2099e464b6e7c55b2dc419be5a45197e19\r\n\r\n");
Device type: proxy server|general purpose|storage-misc|media device|phone
Running (JUST GUESSING): Blue Coat SGOS 5.X|6.X (95%), Blue Coat embedded (95%), FreeBSD 5.X|6.X (92%), Apple iOS 4.X|5.X (91%)
OS CPE: cpe:/o:bluecoat:sgos:5 cpe:/o:bluecoat:sgos:6 cpe:/o:freebsd:freebsd:5.4 cpe:/o:freebsd:freebsd:6.0 cpe:/o:freebsd:freebsd:6 cpe:/o:apple:iphone_os:4 cpe:/o:apple:iphone_os:5
Aggressive OS guesses: Blue Coat SG510 or SG9000 proxy server (SGOS 5.2.2.5 - 5.5.4.1) (95%), Blue Coat SG510-series proxy server (SGOS 5.1.3.7) (95%), Blue Coat SG810 web proxy (SGOS 5.3.1.9 - 5.3.3.1) (95%), Blue Coat CacheFlow 5000 proxy server (95%), Blue Coat proxy server (SGOS 6.2.5.1) (95%), Blue Coat SG210 proxy server (SGOS 5.2.3.3 - 5.2.3.9) (94%), Blue Coat SGOS 5.5.3.1 (94%), FreeBSD 5.4-RELEASE (92%), FreeBSD 6.0-RELEASE (92%), FreeBSD 6.0-RELEASE - 6.2-RELEASE (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
Service Info: OSs: CacheOS, SGOS; Device: proxy server
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.40 seconds@