Android Question Accessing NTLM protected web services using httpUtils2 library

soltypio

Member
Licensed User
Hello,
I am working on a projct that at some point requires me to acces a super simple webservice that just returns some JSON strings in response for a GET request.

HttpUtils2 is perfect for such tasks and worked well for me until the target service has migrated to NTLM protected IIS7 server.

If anyone has allready solved this I will gladly learn from a good example. If not i have this idea:
to create a short lib based on JCIFS that will generate Authenticate headers(Type1,2 and 3 NTLM messages) to use as responses for each subsquent 401 responses. Then we could handle unsuccesful server responses (error 401) each time server decides to negotiate authentication.

I plan to do this this way, not to interfere with original httputils2 library, but as I am new to this kind of stuff it may sound simplier for me than it actually is. Please share Your opinion on my idea. Would it be a possible way to go?
 

Peter Simpson

Expert
Licensed User

soltypio

Member
Licensed User
You can use HTTP to send the request to get the JSON feed. Once you get the responce, you can use JSONTree to create the source code that you need to manipulate the JSON feed. Once you have the code, you son't need JSONTree again.

http://www.b4x.com/android/forum/threads/jsontree-tool-to-help-with-json-parsing-b4a-b4j.35963/#content
or online version
http://www.basic4ppc.com:51042/json/index.html

Bottom left hand side is the B4A code that you would use.
Peter, parsing JSON os not a problem. NTLM authentication is....because httputils has only simple user password authentication built in, but to acces NTLM protected server you need to perform 3 step procedure, and thats where I need advice.
 

soltypio

Member
Licensed User
Thanks, that way I can extend httputils, which will be in fact needed in the end. But just passing username and password wont work here (and I think it is implemented in HttpUtils2 now).
NTLM is 3 step GET request exchange with the server. Basically I need to respond to 401 (Unauthorised) messages with username, password, and domain name encoded into 3 types of messages on each step of the porcedure. If i respond with correct data server will (in theory) grant the access to desired resource. I think I will be able to compute these messages, because I found methods to generate them in JCIFS library, so i will wrap them into small lib.
Still i do not know, how to intercept and read headers from error messages (401 ones), because HttpUtils do not pass complete 401 response with all HTML attached, giving just "401 Unauthorised" in httpjob.Errormessage. And this is crucial because those headers contain indication that NTLM is to be used, and also contain hashed challenge response to which i have to respond in order to finish authentication procedure.

HTTP NTLM is in fact fully implemented in JCIFS, but I have no clue how to use it with HttpUtils2. Sorry for lenghty posts, it's because I feel so lost in this.
 

soltypio

Member
Licensed User
Pendrush, thanks to your inspiring example (altough it was allready present in HttpUtils2 :)) I used the same approach and modified this library to read headers when ErrorMessage is created. For testing purposes i changed it to:
B4X:
If Response <> Null Then
        Try
            Log(Response.GetString("UTF8"))
        Catch
            Log("Failed to read error message.")
           For j=0 To Response.GetHeaders.Size-1
           Dim list1 As List
              list1 = Response.GetHeaders.GetValueAt(j)
              For i = 0 To list1.Size - 1
                Log(list1.Get(i))
              Next
            Next
            Log("Failed to read error message.")
        End Try
So it reads error message headers and writes it into the log.
and server responded that he expects NTLM auth (wow!):

text/html
Microsoft-IIS/7.5
Negotiate
NTLM
Mon, 06 Apr 2015 19:53:16 GMT
1293


I think i've just made my first step towards NTLM authentication. I'll keep working on it and posting results.
 

bjf

Member
Licensed User
Hello.

Did you manage to sort this out?
I'm facing a simliar situation.

Best regards.
 
Top