I am trying to access a site that is password protected. It is not using basic authentication (even though the same user/pass box pops up in firefox) as the response header is <code>WWW-Authenticate: Negotiate</code>. I want to automate the login process by sending the correct header. In basic you would use something like: <pre class="prettyprint"><code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== </code></pre> What would I use for negotiate?

Putting this information here for future readers' benefit. <ul> <li> 401 (Unauthorized) response header -> Request authentication header</li> </ul> <ul> <li>Here are several <code>WWW-Authenticate</code> response headers. (The full list is at IANA: HTTP Authentication Schemes.)</li> </ul> <ul> <li> <code>WWW-Authenticate: Basic</code>-> Authorization: Basic + token - Use for basic authentication</li> <li> <code>WWW-Authenticate: NTLM</code>-> Authorization: NTLM + token (2 challenges)</li> <li> <code>WWW-Authenticate: Negotiate</code> -> Authorization: Negotiate + token - used for Kerberos authentication <ul> <li>By the way: IANA has this angry remark about <code>Negotiate</code>: This authentication scheme violates both HTTP semantics (being connection-oriented) and syntax (use of syntax incompatible with the WWW-Authenticate and Authorization header field syntax). </li> </ul> </li> </ul> You can set the <code>Authorization: Basic</code> header only when you also have the <code>WWW-Authenticate: Basic</code> header on your 401 challenge. But since you have <code>WWW-Authenticate: Negotiate</code> this should be the case for Kerberos based authentication.

The web server is prompting you for a SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token. This is a Microsoft invention for negotiating a type of authentication to use for Web SSO (single-sign-on): <ul> <li>either NTLM</li> <li>or Kerberos.</li> </ul> See: <ul> <li>Microsoft MSDN Library: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol </li> <li>RFC 4178: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism </li> </ul>

Authentication issues with WWW-Authenticate: Negotiate

I am trying to access a site that is password protected. It is not using basic authentication (even though the same user/pass box pops up in firefox) as the response header is WWW-Authenticate: Negotiate.

I want to automate the login process by sending the correct header.

In basic you would use something like:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

What would I use for negotiate?

What is www-authenticate negotiate?

The WWW-Authenticate: Negotiate header means that the server can use NTLM or Kerberos (at least on OS prior to Windows 7 and Win 2008 Server when additional security support providers were added) for authentication and encryption.

What is www-authenticate challenge?

The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.

What is the difference between Negotiate and NTLM authentication?

Negotiate authentication automatically selects between the Kerberos protocol and NTLM authentication, depending on availability. The Kerberos protocol is used if it is available; otherwise, NTLM is tried. Kerberos authentication significantly improves upon NTLM.

What is www-authenticate basic realm?

The 'Basic' Authentication Scheme. The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). The realm value is a free-form string that can only be compared for equality with other realms on that server.

Putting this information here for future readers' benefit.

401 (Unauthorized) response header -> Request authentication header

Here are several WWW-Authenticate response headers. (The full list is at IANA: HTTP Authentication Schemes.)

WWW-Authenticate: Basic-> Authorization: Basic + token - Use for basic authentication
WWW-Authenticate: NTLM-> Authorization: NTLM + token (2 challenges)
WWW-Authenticate: Negotiate -> Authorization: Negotiate + token - used for Kerberos authentication
- By the way: IANA has this angry remark about Negotiate: This authentication scheme violates both HTTP semantics (being connection-oriented) and syntax (use of syntax incompatible with the WWW-Authenticate and Authorization header field syntax).

You can set the Authorization: Basic header only when you also have the WWW-Authenticate: Basic header on your 401 challenge.

But since you have WWW-Authenticate: Negotiate this should be the case for Kerberos based authentication.

The web server is prompting you for a SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token.

This is a Microsoft invention for negotiating a type of authentication to use for Web SSO (single-sign-on):

either NTLM
or Kerberos.

See:

Microsoft MSDN Library: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol
RFC 4178: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism

Authentication issues with WWW-Authenticate: Negotiate

Tags:

http-headers

authentication

header

http-authentication

fire

People also ask

2 Answers

Charith De Silva

zcopley

Recent Activity

Donate For Us

Authentication issues with WWW-Authenticate: Negotiate

Tags:

http-headers

authentication

header

http-authentication

fire

People also ask

2 Answers

Charith De Silva

zcopley

Related questions

Recent Activity

Donate For Us