New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NTLM authentication failing on Linux unless --http2 is specified #13291
Comments
NTLM has been an inferior solution since forever but people still seem to use it. I don't think Microsoft's intention will serve as a strong guidance for us. I think more importantly: if we can't get a way to reproduce this case, I don't see how we can debug/fix it. We can however cheer for your attempts in doing so. |
Thanks! I totally agree - I just thought it might be worth adding it as a known issue, at least until NTLM support is removed, granted it can be replicated on other machines as well of course. Here's the steps I went thought to replicate it, first I set up IIS on my Windows machine:
Once installed, IIS should be available like it is on a Windows server. Enable Windows Authentication:
Using cURL on a Linux machine (in my case I was using Docker which seems to run on the WSL), GET the index page on IIS using NTLM authentication:
I would love to debug this, but I doubt I will get the time to... On the grand scheme of things I believe it's very low priority - at least in my tests, asking cURL to attempt upgrading to http2 solved the issue, even if the server decided to keep using http1.1 during the authentication steps. Considering NTLM's inferiority as a security solution and its deprecation from Microsoft, even if it can be replicated, it's probably not worth the time... My end goal was to at least have this documented somewhere, in case anybody else ever runs into the same issue 😃 |
I can't reproduce your results.
|
Very strange it works without problems on your end? I've created a new Docker container to test in, just in case my build environment was messed up, but I can still recreate the problem: FROM --platform=linux/amd64 debian:12.1-slim
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y curl Built with Inside the container, curl version:
And executing the request:
But then with --http2:
|
It works fine on my end. I built the latest curl from scratch on Fedora 40 and here is the result:
|
I did this
curl http://192.168.0.234/ -v --ntlm -u andrei:password
I expected the following
IIS index page to be returned, instead I get back a 401, not authorized:
This works fine on both Windows 11 and macOS.
It seems to be failing at the last step in NTLM authentication, where client should be reattempting auth with the challenge received from the server?
If I instead do
curl http://192.168.0.234/ -v --ntlm -u andrei:password --http2
, it works:Trying any other option such as
--http1.0
or--http1.1
results in the same 401, only--http2
works. Also tried with the default curl build that comes on the system, here's that one's -V:I don't know whether this is worth fixing since Microsoft has deprecated NTLM, so I'm raising this issue with the goal to perhaps getting it documented, in case it's replicable for others too?
curl/libcurl version
On Linux:
On Windows:
operating system
Linux f67e3e8643fb 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 GNU/Linux
On Windows, running with
Windows 11 23H2 OS Build 22631.3296
with IIS Version10.0.22621.1
The text was updated successfully, but these errors were encountered: