Android Question Accessing NTLM protected web services using httpUtils2 library

Discussion in 'Android Questions' started by soltypio, Apr 4, 2015.

  1. soltypio

    soltypio Member Licensed User

    I am working on a projct that at some point requires me to acces a super simple webservice that just returns some JSON strings in response for a GET request.

    HttpUtils2 is perfect for such tasks and worked well for me until the target service has migrated to NTLM protected IIS7 server.

    If anyone has allready solved this I will gladly learn from a good example. If not i have this idea:
    to create a short lib based on JCIFS that will generate Authenticate headers(Type1,2 and 3 NTLM messages) to use as responses for each subsquent 401 responses. Then we could handle unsuccesful server responses (error 401) each time server decides to negotiate authentication.

    I plan to do this this way, not to interfere with original httputils2 library, but as I am new to this kind of stuff it may sound simplier for me than it actually is. Please share Your opinion on my idea. Would it be a possible way to go?
  2. Pendrush

    Pendrush Well-Known Member Licensed User

  3. Peter Simpson

    Peter Simpson Expert Licensed User

  4. soltypio

    soltypio Member Licensed User

    Peter, parsing JSON os not a problem. NTLM authentication is....because httputils has only simple user password authentication built in, but to acces NTLM protected server you need to perform 3 step procedure, and thats where I need advice.
  5. soltypio

    soltypio Member Licensed User

    Thanks, that way I can extend httputils, which will be in fact needed in the end. But just passing username and password wont work here (and I think it is implemented in HttpUtils2 now).
    NTLM is 3 step GET request exchange with the server. Basically I need to respond to 401 (Unauthorised) messages with username, password, and domain name encoded into 3 types of messages on each step of the porcedure. If i respond with correct data server will (in theory) grant the access to desired resource. I think I will be able to compute these messages, because I found methods to generate them in JCIFS library, so i will wrap them into small lib.
    Still i do not know, how to intercept and read headers from error messages (401 ones), because HttpUtils do not pass complete 401 response with all HTML attached, giving just "401 Unauthorised" in httpjob.Errormessage. And this is crucial because those headers contain indication that NTLM is to be used, and also contain hashed challenge response to which i have to respond in order to finish authentication procedure.

    HTTP NTLM is in fact fully implemented in JCIFS, but I have no clue how to use it with HttpUtils2. Sorry for lenghty posts, it's because I feel so lost in this.
  6. soltypio

    soltypio Member Licensed User

    Pendrush, thanks to your inspiring example (altough it was allready present in HttpUtils2 :)) I used the same approach and modified this library to read headers when ErrorMessage is created. For testing purposes i changed it to:
    If Response <> Null Then
    Log("Failed to read error message.")
    For j=0 To Response.GetHeaders.Size-1
    Dim list1 As List
                  list1 = Response.GetHeaders.GetValueAt(j)
    For i = 0 To list1.Size - 1
    Log("Failed to read error message.")
    End Try
    So it reads error message headers and writes it into the log.
    and server responded that he expects NTLM auth (wow!):

    Mon, 06 Apr 2015 19:53:16 GMT

    I think i've just made my first step towards NTLM authentication. I'll keep working on it and posting results.
  7. bjf

    bjf Member Licensed User


    Did you manage to sort this out?
    I'm facing a simliar situation.

    Best regards.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice