NTLM authentication was finished without success

Hi, thank you very much for SASL class, it's very very cool.
But I have some trouble with NTLM authentication.
The problem is:

When I try to connect by http or https to web server by using NTLM authentication, the server answer error, 3 times,
like he try to connect to NTLM in three steps,
I am testing this script my local host in Win XP with IIS 5.1.
I set username, password and realm (as domain) and workstation (the same as domain because it's on my host).
Well , after a lot of time that i try to connect with different method,
I always got one message:
"NTLM authentication was finished without success"

BUT When I try to access it from IE I will always have access without any problem.

Please, Help somebody, what can I do that this NTLM auth will work? :(

Log from test_http:

Host:3 localhost:81
User-Agent:3 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Pragma:3 nocache
--DONE--
S HTTP/1.1 401 Access Denied
S Server: Microsoft-IIS/5.1
S Date: Thu, 12 Jan 2006 13:44:53 GMT
S WWW-Authenticate: Negotiate
S WWW-Authenticate: NTLM
S Connection: close
S Content-Length: 4431
S Content-Type: text/html
S

... la la HTML ...

Connecting to HTTP server IP 127.0.0.1...
Connected to localhost
C GET /vd HTTP/1.1
C Host: localhost:81
C User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
C Pragma: nocache
C Authorization: NTLM TlRMTVNTUAABAAAABzIAAAUABQAlAAAABQAFACAAAABBTkFSRUFOQVJF
C
S HTTP/1.1 401 Access Denied
S Server: Microsoft-IIS/5.1
S Date: Thu, 12 Jan 2006 13:44:53 GMT
S WWW-Authenticate: NTLM TlRMTVNTUAACAAAACgAKADgAAAAFAoICHlxQ89Dxo+MAAAAAAAAAADwAPABCAAAABQEoCgAAAA9BAE4AQQBSAEUAAgAKAEEATgBBAFIARQABAAoAQQBOAEEAUgBFAAQACgBhAG4AYQByAGUAAwAKAGEAbgBhAHIAZQAAAAAA
S Content-Length: 4033
S Content-Type: text/html
S

... la la HTML ...

C GET /vd HTTP/1.1
C Host: localhost:81
C User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
C Pragma: nocache
C Authorization: NTLM TlRMTVNTUAADAAAAAAAAAFwAAAAYABgAXAAAAAoACgBAAAAACAAIAEoAAAAKAAoAUgAAAAAAAAB0AAAAAQIAAEEATgBBAFIARQB0AGUAcwB0AEEATgBBAFIARQCDdKifZ1VXVYkgajGA8s/T03M6wcd06Tw=
C
S HTTP/1.1 401 Access Denied
S Server: Microsoft-IIS/5.1
S Date: Thu, 12 Jan 2006 13:44:53 GMT
S WWW-Authenticate: Negotiate
S WWW-Authenticate: NTLM
S Connection: close
S Content-Length: 4033
S Content-Type: text/html
S

... la la HTML ...

I think your credentials may not be correct.

I am not sure but domain and workstation do not have to be the same even when the domain controller is in the same machine.

Anyway, you may want to verify what your browser sends to see where you may be wrong.

I don't know how to see the headers that are sent with the Internet Explorer. Firefox also supports NTLM.

mozilla.com/firefox/

It has an extension named LiveHTTPHeaders that lets you see the headers that are sent and returned by the server.

livehttpheaders.mozdev.org/

I recommend that you try them to see the NTLM authentication messages that are exchanged. Those are encoded with base64 . You can use PHP base64_decode() function to get the NTLM message stream of bytes.

Then you can look at this NTLM documentation page to see what is the domain and workstation that are sent at the end of type 1 message.

davenport.sourceforge.net/ntlm.html

I've been having a similar issue (it says it finished without success). I've tried following your directions and manualling decoding the headers when I log in through Firefox, but the result is still a bit garbled, and to be honest I'm not really sure what I'm looking for.

I suspect I'm not using the right value for the 'workstation' field, how would I determine what should be in there?

Any other thoughts on how to troubleshoot this?

Thanks so much.

Sorry for delay. I hope the response is still useful.

I recommend that you follow the procedure above of using Firefox with the LiveHttpHeaders extension so you can see what Firefox is sending when it successfully logs it.

Take a look at the Authorization headers to see if it is authenticating with Negotiate or NTLM.

If it is Negotiate, it requires a new SASL driver class.

If it is NTLM use PHP base64_decode function to extract the NTLM message
Than look at the modntlm page above to see what NTLM message fields are different from what the HTTP client class sends and what Firefox sends.

Just let me know if you have difficulties.

I tried reading the headers that are sent to IIS to find out the info but everything has a � between every letter when i decode it so its hard to read whats what.

but im still getting "Could not process the SASL authentication step: NTLM authentication was finished without success"

i know my username and password are correct

Valid response
plain:
TlRMTVNTUAACAAAADgAOADgAAAAFgokC4rQCAb/Vq5oAAAAAAAAAAHoAegBGAAAABQLODgAAAA9JAFcAUABSAEkATgBUAAIADgBJAFcAUABSAEkATgBUAAEACABHAEkATABMAAQAFgBJAFcAUAByAGkAbgB0AC4AbgBlAHQAAwAgAGcAaQBsAGwALgBJAFcAUAByAGkAbgB0AC4AbgBlAHQABQAWAEkAVwBQAHIAaQBuAHQALgBuAGUAdAAAAAAA
decoded:
NTLMSSP������8������
�ի���������z�z�F�������I�W�P�R�I�N�T���I�W�P�R�I�N�T�
��G�I�L�L���I�W�P�r�i�n�t�.�n�e�t���g�i�l�l�.�I�W�P�r�i�n�t�.�n�e�t���I�W�P�r�i�n�t�.�n�e�t�����

non valid
plain:
TlRMTVNTUAADAAAAAAAAAJ4AAAAYABgAngAAACYAJgBAAAAAKgAqAGYAAAAOAA4AkAAAAAAAAAC2AAAAAQIAAHIAZQBwAG8AcgB0AHMALgBpAHcAcAByAGkAbgB0AC4AYwBvAG0ASQBXAFAAUgBJAE4AVABcAHIAZQBwAG8AcgB0AF8AbQBhAHMAdABlAHIASQBXAFAAUgBJAE4AVABXeD5rnxeW5GxgM+KFLck3p4yeLlgMFBc=
decoded:
NTLMSSP������������������&�&�@���*�*�f�����������������
��r�e�p�o�r�t�s�.�i�w�p�r�i�n�t�.�c�o�m�I�W�P�R�I�N�T�\�r�e�p�o�r�t�_�m�a�s�t�e�r�I�W�P�R�I�N�T�Wx>k���l`3�-�7���.X

That may happen when you are using a form to submit your password values but it is not set to send the values encoded with one of Unicode encoding variants. Therefore the browser send &#NNNN; entities.

Currently the NTLM SASL class only supports 8 bit character encoding. It can be tweaked to support 16 bit character encoding which is what NTLM supports. But first you need to extract the password and user name in UTF-16.

Has any more work been done on this? I'm having the same problem:

Error: Could not process the SASL proxy authentication step: NTLM authentication was finished without success

We have a Windows 2003 domain. I'm sure the username, password, domain, and workstation are all set properly.

I'm trying to use this to connect to a Microsoft ISA server to get out to the Internet for a script I'm trying to put together to essentially monitor the response time through the proxy server.

On the ISA server itself, the logs show that my user failed to login because of "Unknown user name or bad password", event ID 529.

I've even tried an alternate user with the same results.

Most likely your problem is that your Windows server uses a version of NTLM that is not supported.

I do not have access to a Windows 2003 server, so I cannot test it.

I know another user of the class that has been trying to make it work with servers that use different NTLM versions. Maybe he can make his changes available soon.