Hi all,

For last three days I have been trying to download simple HTML document
through a ISA proxy with NTLM authentication using TIdHTTP component. I use
the latest indy (9.00.04) in Delphi 6. I have searched all the newsgroups
several times and I have found nothing that could possibly work.

Please help me. I am stuck and have no idea how to make it work.

From many post to newsgroups I found out that the only thing i should do is
to include IdAuthenticationNTLM unit to my uses clause and all the rest will
be done automatically. Is it really so simple ?. All the time I get the
error 407 Authorization required ... no matter what username or password I
set in ProxyParams.

Shoud I put only the username in ProxyParams.UserName or maybe
computername\username ? I cannot find the answer.

Can somebody tell me what is the current Indy version able to do in this
case ? Is NTLM proxy authorization working already ?

Tomasz.

For windows clients there is another unit IdAuthenticationSSPI.pas. Use it
instead of IdAuthenticationNTLM

Doychin Bonzhev

news:3cc696bb_2@dnews...

Thank you very much for your reply Doychin,

I have replaced IdAuthenticationNTLM with IdAuthenticationSSPI. My compiled
said that it is unable to include ..SSPI.dcu file so I included
IdAutenthicationSSPI.pas and SSPI.pas to my project but still the only thing
I get is 407 error (authorization required).

What am I doing wrong ? Should I provide Username & Password or it will be
taken from CurrentUser settings ?
What format should I use for ProxyParams.Username ? (including computername
or not ?)

Still need your help ...

Tomasz

"Doychin Bondzhev - Team Indy" <doyc...@nospam.dsoft-bg.com> wrote in
message news:3cc6b4ae_1@dnews...

Hi Doychin,

I have exactly the same problem like Tomasz.
I'm using D6 and Indy 9.03.
Unfortunaltely, your solution does not work.

Any other ideas?

Regards,
Yusuf

"Doychin Bondzhev - Team Indy" <doyc...@nospam.dsoft-bg.com> schrieb im
Newsbeitrag news:3cc6b4ae_1@dnews...

Upgrade to latest Indy sources.
I tryed this before but it was long time a go.

Now I'm little bussy with some commercial things so have no tine for Indy
but as soon as I have some free time will look again at authentication code.

Doychin Bondzhev - Team Indy
doyc...@dsoft-bg.com

news:3cc6bf68_2@dnews...

Tomasz,

I haven't used Indy myself so you have to be patient, I won't be able
to provide direct answers, but ...

Microsoft NTLM implementation supports two operation modes:

1) Authenticate using "Current User" security context;
2) Authenticate using "MSDomainName\UserName\Password" triple.

The way IdAutenthicationSSPI.pas is implemented now it doesn't support
2). It wouldn't be hard to change it (20-30 lines of code), but that
requires architectural decision <g>.

So, all you're left with is 1). To implement that option you have to
make sure that "Username" is blank, this way it'll select
SetCredentialsAsCurrentUser in
TIdSSPINTLMAuthentication.Authentication function. As far as
environment goes, for that option to work, your program must be
running by a user (loged in to ms domain your proxy server lives in)
authorised to use the proxy.

Alex

Alex,

From your post I assume that the only thing I need to do is to include
...SSPI.pas to my project and leave the ProxyParams.UserName empty. I have
tried that so far. It didn't work.

1) When tracing the execution of Indy Source code beggining from HTTP.Get
call to the point where I get the error message I found out that it never
executes method SendCredentialsAsCurrentUser(). Am I right that something is
wrong ?

2) You said that user should be logged into windows NT domain. What about
computers that are not members of windows NT domain ?

Tomasz

Tomasz,

I'm not sure, I haven't used Indy myself, but someone from Indy team
should be able to help you, probably Doychin. You must specify somehow
TIdSSPINTLMAuthentication as your proxy authentication class and you
have to set proxy authentication username parameter blank for your
code to hit SetCredentialsAsCurrentUser call.

Yes, you are correct.

I've said it before, but I have to clarify it <g>:

The way option 1) works is like this:

- user MY_USERNAME logins to a domain MY_DOMAIN using her/his
MY_WORKSTATION that is part of the domain;
- after successfull login (password is correct and all the rest)
windows running on MY_WORKSTATION creates "security context" (just a
bunch of bytes and strings) that identify all programs run by the user
at the screen as executed by MY_USERNAME from MY_DOMAIN, so they
(programs) can PROVE to anyone else that there is a MY_USERNAME from
MY_DOMAIN behind them without bothering the actual person with any
questions for passwords and so on;
- when MY_USERNAME user runs a browser on MY_WORKSTATION that connects
to MY_SERVER running MS http proxy, the browser sends the "security
context" via NTLM protocol to the proxy program on the other side of
the wire and the proxy should be able to VERIFY the "security context"
as being belong to MY_USERNAME from MY_DOMAIN. For that MY_SERVER has
to have access to domain controlers for MY_DOMAIN, which in simplest
situation would be to make MY_SERVER a memeber of the domain within
the same network.

For option 2), it's all the same except that you don't have required
"security context", you have a diffirent one. But you can create
temporary required "security context" if you know MSDomainName,
UserName and Password, and then proceed as before.

As I said before, the current Indy code is structured in such way that
it is impossible to execute option 2), but it can be changed assuming
Indy team would be willing to design and document a way of passing
"MSDomainName\UserName\Password" triple to the proxy authentication
class.

I hope, I didn't make it even more complicated <g>.

Alex