September 21, 2012

solitone solitone
Lab Rat
4 posts

[Solved] Proxy authentication issue

 

I’m struggling with downloading a simple web page with QNetworkAccessManager. I encounter a proxy authentication issue which I can’t overcome.

Here’s a snippet of my code:

  1. void Window::download()
  2. {
  3.  connect(manager, SIGNAL(finished(QNetworkReply*)), this, SLOT(replyFinished(QNetworkReply*)));
  4.  
  5.  QNetworkProxy proxy(QNetworkProxy::HttpProxy, "my_proxy_host", 8080, "MY_DOMAIN//my_user", "my_password");
  6.  
  7.  manager->setProxy(proxy);
  8.  manager->get(QNetworkRequest(QUrl("http://www.google.com")));
  9. }

I’ve sniffed the HTTP traffic with Wireshark, and here’s what it’s logged:

  1. [truncated] Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAAAAAFQAAADaANoAVAAAABQAFABAAAAAAAAAAFQAAAAAAAAAVAAAAAAAAAAAAAAAAQIAAEYARQBSAFIARQBSAE8ATgBFAFQAe63Ac4fenpjEZxAU3IlPgQEBAAAAAAAAgHLoLSaYzQE5Y2NiYTU0YQAAAAACABQARgBFAFIAUgBFAFIATwBOAEUAV
  2. NTLM Secure Service Provider
  3. NTLMSSP identifier: NTLMSSP
  4. NTLM Message Type: NTLMSSP_AUTH (0x00000003)
  5. Lan Manager Response: Empty
  6. NTLM Response: 7badc07387de9e98c4671014dc894f810101000000000000...
  7. NTLM Client Challenge: 3963636261353461
  8. Domain name: MY_DOMAIN
  9. User name: NULL
  10. Host name: NULL
  11. Session Key: Empty
  12. Flags: 0x00000201

The issue seems to be username remains NULL, even though I specified a value for it in QNetworkProxy constructor. I presume the password is blank as well.

As you see, NTLM authentication is involved in my scenario. I suspect it’s NTLM v2 and something is wrong with QT and NTLM v2. Not sure though, as I don’t have access to the proxy server and I cannot verify whether it uses v2 indeed.

Do you have any information / suggestion on this issue? Thanks!

7 replies

September 21, 2012

hardcodes.de hardcodes.de
Lab Rat
151 posts

Maybe you could use nmap to detect what kind of system your proxy is?
Since it doesn’t use Kerberos I hope that you have NTLMv2 at least.

This might help with the internals of the protocol [msdn.microsoft.com]).aspx.

As you can read here [social.msdn.microsoft.com], the client walks from the most secure protocol to the weakest.

Sorry, I can’t help you with the Qt details but it may help others to help you if they knew what system and protocol is used here.

 Signature 

while(!sleep){++sheep;}

September 24, 2012

solitone solitone
Lab Rat
4 posts
hardcodes.de wrote:
Maybe you could use nmap to detect what kind of system your proxy is?

Here’s what I find nmapping my proxy server. I reckon I don’t get much detail for port 8080 (where my proxy server listens) as again it requires authentication:

  1. # nmap -T4 -A -v my_proxy_host
  2.  
  3. Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-24 10:59
  4. [...]
  5. Not shown: 991 closed ports
  6. PORT     STATE SERVICE          VERSION
  7. [...]
  8. 80/tcp   open  http             CacheFlow http cache
  9. |_http-title: Access Denied
  10. |_http-methods: No Allow or Public header in OPTIONS response (status code 407)
  11. [...]
  12. 8080/tcp open  http             CacheFlow http cache
  13. |_http-title: Access Denied
  14. |_http-methods: No Allow or Public header in OPTIONS response (status code 407)
  15. 8081/tcp open  http             Blue Coat SG210 http proxy config
  16. |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
  17. | http-auth:
  18. | HTTP/1.1 401 Authentication Required
  19. |_  Basic realm=10.11.21.160
  20. [...]

Is there a more specific way to run nmap and get some further information?

September 24, 2012

solitone solitone
Lab Rat
4 posts

I see several reports on proxy authentication issues—e.g.

Do you think the problem I’m facing could be related to something similar?

September 24, 2012

hardcodes.de hardcodes.de
Lab Rat
151 posts

As I said, I can not help you with Qt itself just with the discovery of NTLM. I’d say you’ve got a BlueCoat (= Proxy appliance) – you could try a “nmap -O -sS -sV my_proxy_host” to get more details. Chances are high that it uses NTLM. If you use Internet Explorer via this proxy and must not enter your credentials NTLM is used.

Then you try to use different user name notations:

USERNAME
DOMAIN\USERNAME
USERNAME@FULL.DOMAIN.NAME

 Signature 

while(!sleep){++sheep;}

September 24, 2012

solitone solitone
Lab Rat
4 posts

OK, done it!

I eventually found out I cannot directly pass username/password to QNetworkProxy() constructor. I need to take advantage of proxyAuthenticationRequired() signal.

Here’s how I changed my code:

  1. void Window::download()
  2. {
  3.  QNetworkProxy proxy(QNetworkProxy::HttpCachingProxy, "my_proxy_host", 8080);
  4.  
  5.  connect(manager, SIGNAL(finished(QNetworkReply*)), this, SLOT(replyFinished(QNetworkReply*)));
  6.  connect(manager, SIGNAL(proxyAuthenticationRequired(const QNetworkProxy&, QAuthenticator*)), this, SLOT(onProxyAuthenticationRequired(const QNetworkProxy&, QAuthenticator*)));
  7.  
  8.  manager->setProxy(proxy);
  9.  manager->get(QNetworkRequest(QUrl("http://www.gnu.org/")));
  10. }
  11.  
  12. void Window::onProxyAuthenticationRequired(const QNetworkProxy &prox, QAuthenticator *auth)
  13. {
  14.  auth->setUser("my_user");
  15.  auth->setPassword("my_password");
  16. }

As you can see, now I no longer pass username and password to QNetworkProxy constructor, but I manage authentication data inside onProxyAuthenticationRequired() slot.

This way, my username is correctly passed to the proxy server, as a WireShark’s capture showed.

I’ve tested proxy types QNetworkProxy::HttpProxy and QNetworkProxy::HttpCachingProxy and, in my landscape, they both work.

September 24, 2012

hardcodes.de hardcodes.de
Lab Rat
151 posts

Allthough I could not really help you here, I’m happy you got a solution!
Please write a [solved] into the header of your first post, I think many people stumble upon proxy authentication and would be happy to find a solution :D

 Signature 

while(!sleep){++sheep;}

September 25, 2012

solitone solitone
Lab Rat
4 posts
hardcodes.de wrote:
I’d say you’ve got a BlueCoat (= Proxy appliance) – you could try a “nmap -O -sS -sV my_proxy_host” to get more details.

For future reference, here’s what I find running nmap with these other options:

  1. # nmap -O -sS -sV my_proxy_host
  2.  
  3. Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-25 10:20
  4. Host is up (0.0017s latency).
  5. Not shown: 991 closed ports
  6. PORT     STATE SERVICE  VERSION
  7. 21/tcp   open  ftp      Blue Coat ftpd
  8. 22/tcp   open  ssh      OpenSSH 5.6 (protocol 2.0)
  9. 80/tcp   open  http     CacheFlow http cache
  10. 161/tcp  open  snmp?
  11. 554/tcp  open  rtsp?
  12. 1755/tcp open  wms?
  13. 8080/tcp open  http     CacheFlow http cache
  14. 8081/tcp open  http     Blue Coat SG210 http proxy config
  15. 8082/tcp open  ssl/http Blue Coat SG210 http proxy config
  16. 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
  17. SF-Port554-TCP:V=6.01%I=7%D=9/25%Time=5061696A%P=i686-pc-windows-windows%r
  18. SF:(HTTPOptions,C2,"RTSP/1\.0\x20200\x20OK\r\nServer:\x20RealServer\x20Ver
  19. SF:sion\x208\.0\.1\.367\x20\(win32\)\r\nPublic:\x20OPTIONS,\x20DESCRIBE,\x
  20. SF:20SETUP,\x20PLAY,\x20PAUSE,\x20SET_PARAMETER,\x20TEARDOWN\r\nStatsMask:
  21. SF:\x207\r\nSession:\x2062aed6c439b105cdd361540d3a41aaf5\r\n\r\n")%r(SIPOp
  22. SF:tions,CC,"RTSP/1\.0\x20200\x20OK\r\nCSeq:\x2042\r\nServer:\x20RealServe
  23. SF:r\x20Version\x208\.0\.1\.367\x20\(win32\)\r\nPublic:\x20OPTIONS,\x20DES
  24. SF:CRIBE,\x20SETUP,\x20PLAY,\x20PAUSE,\x20SET_PARAMETER,\x20TEARDOWN\r\nSt
  25. SF:atsMask:\x207\r\nSession:\x2099e464b6e7c55b2dc419be5a45197e19\r\n\r\n");
  26. Device type: proxy server|general purpose|storage-misc|media device|phone
  27. Running (JUST GUESSING): Blue Coat SGOS 5.X|6.X (95%), Blue Coat embedded (95%), FreeBSD 5.X|6.X (92%), Apple iOS 4.X|5.X (91%)
  28. OS CPE: cpe:/o:bluecoat:sgos:5 cpe:/o:bluecoat:sgos:6 cpe:/o:freebsd:freebsd:5.4 cpe:/o:freebsd:freebsd:6.0 cpe:/o:freebsd:freebsd:6 cpe:/o:apple:iphone_os:4 cpe:/o:apple:iphone_os:5
  29. Aggressive OS guesses: Blue Coat SG510 or SG9000 proxy server (SGOS 5.2.2.5 - 5.5.4.1) (95%), Blue Coat SG510-series proxy server (SGOS 5.1.3.7) (95%), Blue Coat SG810 web proxy (SGOS 5.3.1.9 - 5.3.3.1) (95%), Blue Coat CacheFlow 5000 proxy server (95%), Blue Coat proxy server (SGOS 6.2.5.1) (95%), Blue Coat SG210 proxy server (SGOS 5.2.3.3 - 5.2.3.9) (94%), Blue Coat SGOS 5.5.3.1 (94%), FreeBSD 5.4-RELEASE (92%), FreeBSD 6.0-RELEASE (92%), FreeBSD 6.0-RELEASE - 6.2-RELEASE (92%)
  30. No exact OS matches for host (test conditions non-ideal).
  31. Network Distance: 6 hops
  32. Service Info: OSs: CacheOS, SGOS; Device: proxy server
  33. OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  34. Nmap done: 1 IP address (1 host up) scanned in 151.40 seconds

 
  ‹‹ Checkableproxymodel - programmatically uncheck a node      [SOLVED]QByteArray, pointer as data ››

You must log in to post a reply. Not a member yet? Register here!