I am trying to access a site that is password protected. It is not using basic authentication (even though the same user/pass box pops up in firefox) as the response header is WWW-Authenticate: Negotiate
.
I want to automate the login process by sending the correct header.
In basic you would use something like:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
What would I use for negotiate?
The WWW-Authenticate: Negotiate header means that the server can use NTLM or Kerberos (at least on OS prior to Windows 7 and Win 2008 Server when additional security support providers were added) for authentication and encryption.
The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.
Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly improves upon NTLM.
The 'Basic' Authentication Scheme. The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). The realm value is a free-form string that can only be compared for equality with other realms on that server.
Putting this information here for future readers' benefit.
WWW-Authenticate
response headers. (The full list is at IANA: HTTP Authentication Schemes.)WWW-Authenticate: Basic
-> Authorization: Basic + token - Use for basic authenticationWWW-Authenticate: NTLM
-> Authorization: NTLM + token (2 challenges)WWW-Authenticate: Negotiate
-> Authorization: Negotiate + token - used for Kerberos authentication Negotiate
: This authentication scheme violates both HTTP semantics (being connection-oriented) and syntax (use of syntax incompatible with the WWW-Authenticate and Authorization header field syntax). You can set the Authorization: Basic
header only when you also have the WWW-Authenticate: Basic
header on your 401 challenge.
But since you have WWW-Authenticate: Negotiate
this should be the case for Kerberos based authentication.
The web server is prompting you for a SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token.
This is a Microsoft invention for negotiating a type of authentication to use for Web SSO (single-sign-on):
See:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With