NTLM Authentication w/ Internal Site

DanEllison has asked for the wisdom of the Perl Monks concerning the following question:

Whittled down to the minimum, I have:

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Authen::NTLM;
use LWP::ConsoleLogger::Everywhere;
ntlmv2(1);

my $ua = LWP::UserAgent->new(keep_alive => 1, ssl_opts => { verify_hos
+tname => 0 });

$ua->credentials(internal.com:9004', '', 'user', 'pass');

my $req = GET “https://internal.com:9004/api”;
[download]

I assume because it is an internal site, if I don't turn off verify_hostname, I get:
500 Can't connect to internal.com:9004 (Bad File descriptor)

However, if I turn off verify_hostname, the ConsoleLogger shows that I am attempting to do my NTLM authentication, however I can't seem to get by:
401 Unauthorized

I do notice in the result header a warning:
Client-SSL-Warning: Peer certificate not verified

I'm wondering if my authentication problems are due to not verifying the host. I'd prefer that, but I've tried downloading certificates, extracting a fingerprint, but can't seem to get past the 500 error without turning off verify_hostname. How can I verify my internal site? And/or should I be looking elsewhere for my NTLM Authentication issue?

I'm attempting this from Strawberry on Windows, but I am able to authenticate against my internal site using curl from one of my linux hosts, so I know the url and credentials are correct.

Comment on NTLM Authentication w/ Internal Site Download Code

Replies are listed 'Best First'.
Re: NTLM Authentication w/ Internal Site by hippo (Archbishop) on May 18, 2022 at 23:09 UTC
How can I verify my internal site? It isn't clear to me what you mean by "internal" here or why that has any bearing. To verify a certificate on a given site you need to verify that the CA has signed the cert, that the cert has a CN which reflects the site's hostname, and that everything is in date. LWP should do all of this for you so the most likely cause is an unknown CA. Be sure to specify the CA cert either through `ssl_opts` or in the environment before you begin. 🦛	[reply] [d/l]
Re^2: NTLM Authentication w/ Internal Site by DanEllison (Scribe) on May 19, 2022 at 21:47 UTC
It's a large corporation, so even the CA was internal to the company. I thought I had downloaded the rootCa as well as all the intermediate certificates, but it still wouldn't verify the host. I did find a certificate bundle on my linux host and downloaded that to my windows box and that seems to have resolved the verify host issue. Its still not authenticating against NTLM even though I can see the "WWW-Authenticate: NTLM <token>" being sent. I do see another warning now, "Peer certificate not verified".	[reply]
Re^3: NTLM Authentication w/ Internal Site by hippo (Archbishop) on May 20, 2022 at 08:37 UTC
I do see another warning now, "Peer certificate not verified". That's presumably because you have have left `verify_hostname` as zero. Test: `use strict; use warnings; use Test::More tests => 2; use LWP::UserAgent; my $ua = LWP::UserAgent->new; isnt get_cw ($ua), 'Peer certificate not verified', 'Verify = no warni +ng'; $ua->ssl_opts (verify_hostname => 0); is get_cw ($ua), 'Peer certificate not verified', 'No Verify = warning +'; sub get_cw { my $lpw = shift; my $res = $lpw->head ('https://www.perlmonks.org/'); my $cw = $res->header ('Client-SSL-Warning') // ''; return $cw; }` [download] 🦛	[reply] [d/l] [select]
Re^4: NTLM Authentication w/ Internal Site by DanEllison (Scribe) on May 31, 2022 at 21:44 UTC
Re: NTLM Authentication w/ Internal Site by silent11 (Vicar) on Jun 15, 2022 at 17:08 UTC
are you passing user as `DOMAIN\\username`? where DOMAIN is the _name_ of the domain. `LWP::Debug::level('+')` is how I've increased the level of logs.	[reply] [d/l] [select]