WinInet authentication issue

Discussion:

(too old to reply)

George

2008-09-19 03:14:00 UTC

Hello everyone,

I want to implement the shake hands of Windows Integrated Authentication for
myself. Here is a reference link of the protocol and steps of shakehands.

http://en.wikipedia.org/wiki/NTLM

I have tried a prototype using WinInet API below, and find each time when
using WinInet API InternetOpenUrl, this API will handle all underlying
authentication shakehands for me. :wave:

http://TestMachine/Monitor is a web site setup by IIS with Windows
Integrated Authentication, and the following invocation of InternetOpenUrl
will automatically returns 200 OK and will use my current login user's
credential automatically -- no change for me to parse return each time from
IIS and do the shakehands by myself.

My question is, could I use WinInet level API like InternetOpenUrl to
achieve my goal? Why?

My simple code.

[Code]
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <wininet.h>
#include <stdlib.h>
#include <iostream>
using namespace std;

int main()
{
HINTERNET hINet = InternetOpen(TEXT("InetURL/1.0"),
INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0 );
if ( !hINet )
{
return EXIT_FAILURE;
}
HINTERNET hFile = InternetOpenUrl( hINet,
TEXT("http://TestMachine/Monitor"), NULL, 0, 0, 0 );
if(hFile)
{
CHAR buffer[1024]={0};
DWORD dwRead;

while ( InternetReadFile( hFile, buffer, 1023, &dwRead ) )
{
if ( dwRead == 0 )
break;
buffer[dwRead] = 0;
cout << buffer << endl;
}
InternetCloseHandle( hFile );
}
InternetCloseHandle(hINet);

return EXIT_SUCCESS;
}
[/Code]

thanks in advance,
George

Dan Mitchell

2008-09-22 23:09:50 UTC

Permalink

Post by George
My question is, could I use WinInet level API like InternetOpenUrl to
achieve my goal? Why?

I don't think so -- WinInet automatically handles the authentication
for you, it's a higher-level API meant to make things easy. You'd need
to use lower-level sockets calls like WSAConnect or just plain
'connect' (depending on if you prefer windows or unix-style sockets) and
then do everything by hand.

However, I don't think there's a way to get the WinInet-level handling
of HTTP without it also doing the authentication, so you'd then have to
send the HTTP GET call yourself, etc.

Looking on MSDN in the WinInet documentation under 'authentication',
this page:

http://msdn.microsoft.com/en-us/library/aa384220(VS.85).aspx

suggests that you could possibly totally disable NTLM authentication by
messing with DLLs/registry, but I suspect that would disable it for
everything on your computer, which may or may not be what you want.

-- dan

George

2008-09-23 05:50:01 UTC

Permalink

Hi Dan,

You have recommended a really good article. One more question, what means
"Proxy Authentication"? Especially "When a client attempts to use a proxy
that requires authentication, the proxy returns a 407 status code message to
the client." from the link you recommended,

http://msdn.microsoft.com/en-us/library/aa384220(VS.85).aspx

My confusions are,

1. what is the proxy in the context? the proxy server which we setup in our
IE Http connection settings?

2. we always do authentication with the web site -- so two parties client
and web site, why proxy involves?

regards,
George

Dan Mitchell

2008-09-23 22:38:30 UTC

Permalink

Post by George
You have recommended a really good article.

There's a lot of stuff in the documentation if you poke around, yup.

Post by George
One more question, what
means "Proxy Authentication"? Especially "When a client attempts to
use a proxy that requires authentication, the proxy returns a 407
status code message to the client." from the link you recommended,

Let's say I'm at company X. Company X has a web proxy set up between
the LAN and the internet (ISA server, squid, whatever). The web proxy
passes requests from the inside to the outside (to improve caching,
security, etc).

Imagine that group A in the company can get full access to the
internet, but group B can only get to a limited set of web sites to stop
people spending all day on facebook, say. The only way the proxy can
restrict things appropriately is by forcing users to authenticate with
the proxy.

Post by George
1. what is the proxy in the context? the proxy server which we setup
in our IE Http connection settings?

Yup.

Post by George
2. we always do authentication with the web site -- so two parties
client and web site, why proxy involves?

See above.

-- dan

George

2008-09-24 06:15:00 UTC

Permalink

Thanks Dan,

1.

The proxy authentication is just 2 parties authentication -- client and the
proxy server, and have nothing to do with the external web site (i.e. proxy
authentication is just used to identify the user identify from proxy point of
view)?

2.

If the external web sites like facebook also needs authentication, user
needs to authentication twice -- one time with proxy and the other time with
external web site?

regards,
George

Dan Mitchell

2008-09-25 23:59:01 UTC

Permalink

Post by George
1.
The proxy authentication is just 2 parties authentication -- client
and the proxy server, and have nothing to do with the external web
site (i.e. proxy authentication is just used to identify the user
identify from proxy point of view)?

Yes, that's correct.

Post by George
2.
If the external web sites like facebook also needs authentication,
user needs to authentication twice -- one time with proxy and the
other time with external web site?

Yes -- the web site manages its own authentication totally separately.
This may be through a form (facebook, banks, etc), or through
basic/digest authentication (as part of HTTP). See

http://en.wikipedia.org/wiki/Basic_access_authentication
and
http://en.wikipedia.org/wiki/Digest_access_authentication

Note that typically WinInet will store authentication information for
your proxy server, so you only have to authenticate with that once per
session; similarly, web sites generally only ask you to authenticate
with _them_ once, but it's up to the person coding the web site to
manage that.

-- dan

George

2008-09-26 07:44:03 UTC

Permalink

Thanks Dan,

I am wondering what mechanisms does proxy server make authentication with
end user? Also standard Http authentication approaches, like Basic/Digest as
you mentioned, which is also for the external web site to do authentication?

regards,
George

Dan Mitchell

2008-09-26 17:13:02 UTC

Permalink

Post by George
I am wondering what mechanisms does proxy server make authentication
with end user?

Depends on the settings. Some do it transparently behind the scenes
(websense, for instance, uses your NT login ID and a separate process on
Windows, but on the Mac you have to log in manually).

Post by George
Also standard Http authentication approaches, like
Basic/Digest as you mentioned, which is also for the external web site
to do authentication?

Proxy servers will almost certainly use http authentication, yup, that's
what the HTTP standard is for..

-- dan

George

2008-09-27 06:52:00 UTC

Permalink

Thanks Dan!

Post by Dan Mitchell
Proxy servers will almost certainly use http authentication, yup, that's
what the HTTP standard is for.

Good to know proxy server is also using standard Http authenticaton
mechanisms, like Http basic/digest.

regards,
George