[Solved] Proxy authentication issue



  • I'm struggling with downloading a simple web page with QNetworkAccessManager. I encounter a proxy authentication issue which I can't overcome.

    Here's a snippet of my code:

    @void Window::download()
    {
    QNetworkAccessManager manager = new QNetworkAccessManager(this);
    connect(manager, SIGNAL(finished(QNetworkReply
    )), this, SLOT(replyFinished(QNetworkReply*)));

    QNetworkProxy proxy(QNetworkProxy::HttpProxy, "my_proxy_host", 8080, "MY_DOMAIN//my_user", "my_password");

    manager->setProxy(proxy);
    manager->get(QNetworkRequest(QUrl("http://www.google.com")));
    }@

    I've sniffed the HTTP traffic with Wireshark, and here's what it's logged:

    @[truncated] Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAAAAAFQAAADaANoAVAAAABQAFABAAAAAAAAAAFQAAAAAAAAAVAAAAAAAAAAAAAAAAQIAAEYARQBSAFIARQBSAE8ATgBFAFQAe63Ac4fenpjEZxAU3IlPgQEBAAAAAAAAgHLoLSaYzQE5Y2NiYTU0YQAAAAACABQARgBFAFIAUgBFAFIATwBOAEUAV
    NTLM Secure Service Provider
    NTLMSSP identifier: NTLMSSP
    NTLM Message Type: NTLMSSP_AUTH (0x00000003)
    Lan Manager Response: Empty
    NTLM Response: 7badc07387de9e98c4671014dc894f810101000000000000...
    NTLM Client Challenge: 3963636261353461
    Domain name: MY_DOMAIN
    User name: NULL
    Host name: NULL
    Session Key: Empty
    Flags: 0x00000201
    @

    The issue seems to be username remains NULL, even though I specified a value for it in QNetworkProxy constructor. I presume the password is blank as well.

    As you see, NTLM authentication is involved in my scenario. I suspect it's NTLM v2 and something is wrong with QT and NTLM v2. Not sure though, as I don't have access to the proxy server and I cannot verify whether it uses v2 indeed.

    Do you have any information / suggestion on this issue? Thanks!



  • Maybe you could use nmap to detect what kind of system your proxy is?
    Since it doesn't use Kerberos I hope that you have NTLMv2 at least.

    This might help with the "internals of the protocol":http://msdn.microsoft.com/en-us/library/dd925287(v=office.12).aspx.

    As you can read "here":http://social.msdn.microsoft.com/Forums/en-US/os_interopscenarios/thread/c8f488ed-1b96-4e06-bd65-390aa41138d1, the client walks from the most secure protocol to the weakest.

    Sorry, I can't help you with the Qt details but it may help others to help you if they knew what system and protocol is used here.



  • [quote author="hardcodes.de" date="1348257625"]Maybe you could use nmap to detect what kind of system your proxy is?[/quote]

    Here's what I find nmapping my proxy server. I reckon I don't get much detail for port 8080 (where my proxy server listens) as again it requires authentication:

    @# nmap -T4 -A -v my_proxy_host

    Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-24 10:59
    [...]
    Not shown: 991 closed ports
    PORT STATE SERVICE VERSION
    [...]
    80/tcp open http CacheFlow http cache
    |_http-title: Access Denied
    |_http-methods: No Allow or Public header in OPTIONS response (status code 407)
    [...]
    8080/tcp open http CacheFlow http cache
    |_http-title: Access Denied
    |_http-methods: No Allow or Public header in OPTIONS response (status code 407)
    8081/tcp open http Blue Coat SG210 http proxy config
    |http-title: Site doesn't have a title (text/plain; charset=utf-8).
    | http-auth:
    | HTTP/1.1 401 Authentication Required
    |
    Basic realm=10.11.21.160
    [...]@

    Is there a more specific way to run nmap and get some further information?





  • As I said, I can not help you with Qt itself just with the discovery of NTLM. I'd say you've got a BlueCoat (= Proxy appliance) - you could try a "nmap -O -sS -sV my_proxy_host" to get more details. Chances are high that it uses NTLM. If you use Internet Explorer via this proxy and must not enter your credentials NTLM is used.

    Then you try to use different user name notations:

    USERNAME
    DOMAIN\USERNAME
    USERNAME@FULL.DOMAIN.NAME



  • OK, done it!

    I eventually found out I cannot directly pass username/password to QNetworkProxy() constructor. I need to take advantage of proxyAuthenticationRequired() signal.

    Here's how I changed my code:

    @void Window::download()
    {
    QNetworkAccessManager *manager = new QNetworkAccessManager(this);
    QNetworkProxy proxy(QNetworkProxy::HttpCachingProxy, "my_proxy_host", 8080);

    connect(manager, SIGNAL(finished(QNetworkReply*)), this, SLOT(replyFinished(QNetworkReply*)));
    connect(manager, SIGNAL(proxyAuthenticationRequired(const QNetworkProxy&, QAuthenticator*)), this, SLOT(onProxyAuthenticationRequired(const QNetworkProxy&, QAuthenticator*)));

    manager->setProxy(proxy);
    manager->get(QNetworkRequest(QUrl("http://www.gnu.org/")));
    }

    void Window::onProxyAuthenticationRequired(const QNetworkProxy &prox, QAuthenticator *auth)
    {
    auth->setUser("my_user");
    auth->setPassword("my_password");
    }@

    As you can see, now I no longer pass username and password to QNetworkProxy constructor, but I manage authentication data inside onProxyAuthenticationRequired() slot.

    This way, my username is correctly passed to the proxy server, as a WireShark's capture showed.

    I've tested proxy types QNetworkProxy::HttpProxy and QNetworkProxy::HttpCachingProxy and, in my landscape, they both work.



  • Allthough I could not really help you here, I'm happy you got a solution!
    Please write a [solved] into the header of your first post, I think many people stumble upon proxy authentication and would be happy to find a solution :-D



  • [quote author="hardcodes.de" date="1348501241"]I'd say you've got a BlueCoat (= Proxy appliance) - you could try a "nmap -O -sS -sV my_proxy_host" to get more details.[/quote]

    For future reference, here's what I find running nmap with these other options:

    @# nmap -O -sS -sV my_proxy_host

    Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-25 10:20
    Host is up (0.0017s latency).
    Not shown: 991 closed ports
    PORT STATE SERVICE VERSION
    21/tcp open ftp Blue Coat ftpd
    22/tcp open ssh OpenSSH 5.6 (protocol 2.0)
    80/tcp open http CacheFlow http cache
    161/tcp open snmp?
    554/tcp open rtsp?
    1755/tcp open wms?
    8080/tcp open http CacheFlow http cache
    8081/tcp open http Blue Coat SG210 http proxy config
    8082/tcp open ssl/http Blue Coat SG210 http proxy config
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
    SF-Port554-TCP:V=6.01%I=7%D=9/25%Time=5061696A%P=i686-pc-windows-windows%r
    SF:(HTTPOptions,C2,"RTSP/1.0\x20200\x20OK\r\nServer:\x20RealServer\x20Ver
    SF:sion\x208.0.1.367\x20(win32)\r\nPublic:\x20OPTIONS,\x20DESCRIBE,\x
    SF:20SETUP,\x20PLAY,\x20PAUSE,\x20SET_PARAMETER,\x20TEARDOWN\r\nStatsMask:
    SF:\x207\r\nSession:\x2062aed6c439b105cdd361540d3a41aaf5\r\n\r\n")%r(SIPOp
    SF:tions,CC,"RTSP/1.0\x20200\x20OK\r\nCSeq:\x2042\r\nServer:\x20RealServe
    SF:r\x20Version\x208.0.1.367\x20(win32)\r\nPublic:\x20OPTIONS,\x20DES
    SF:CRIBE,\x20SETUP,\x20PLAY,\x20PAUSE,\x20SET_PARAMETER,\x20TEARDOWN\r\nSt
    SF:atsMask:\x207\r\nSession:\x2099e464b6e7c55b2dc419be5a45197e19\r\n\r\n");
    Device type: proxy server|general purpose|storage-misc|media device|phone
    Running (JUST GUESSING): Blue Coat SGOS 5.X|6.X (95%), Blue Coat embedded (95%), FreeBSD 5.X|6.X (92%), Apple iOS 4.X|5.X (91%)
    OS CPE: cpe:/o:bluecoat:sgos:5 cpe:/o:bluecoat:sgos:6 cpe:/o:freebsd:freebsd:5.4 cpe:/o:freebsd:freebsd:6.0 cpe:/o:freebsd:freebsd:6 cpe:/o:apple:iphone_os:4 cpe:/o:apple:iphone_os:5
    Aggressive OS guesses: Blue Coat SG510 or SG9000 proxy server (SGOS 5.2.2.5 - 5.5.4.1) (95%), Blue Coat SG510-series proxy server (SGOS 5.1.3.7) (95%), Blue Coat SG810 web proxy (SGOS 5.3.1.9 - 5.3.3.1) (95%), Blue Coat CacheFlow 5000 proxy server (95%), Blue Coat proxy server (SGOS 6.2.5.1) (95%), Blue Coat SG210 proxy server (SGOS 5.2.3.3 - 5.2.3.9) (94%), Blue Coat SGOS 5.5.3.1 (94%), FreeBSD 5.4-RELEASE (92%), FreeBSD 6.0-RELEASE (92%), FreeBSD 6.0-RELEASE - 6.2-RELEASE (92%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 6 hops
    Service Info: OSs: CacheOS, SGOS; Device: proxy server
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 151.40 seconds@


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.