Authentication issues with WWW-Authenticate: Negotiate

Question

I am trying to access a site that is password protected. It is not using basic authentication (even though the same user/pass box pops up in firefox) as the response header is WWW-Authenticate: Negotiate.

I want to automate the login process by sending the correct header.

In basic you would use something like:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

What would I use for negotiate?

The WWW-Authenticate: Negotiate header means that the server can use NTLM or Kerberos (at least on OS prior to Windows 7 and Win 2008 Server when additional security support providers were added) for authentication and encryption. In this case of NTLM the negotiation requires multiple messages (challenge/responses) to be exchanged before the secured session is established, so there is no "correct header" to be sent from the start. You can find details regarding your problem http://msdn.microsoft.com/en-us/library/aa378748%28VS.85%29.aspx (SSP Packages Provided by Microsoft). — andrei m, Nov 24 '10 at 12:10

score 59 · Answer 1 · edited Oct 07 '21 at 07:34

Putting this information here for future readers' benefit.

401 (Unauthorized) response header -> Request authentication header

Here are several WWW-Authenticate response headers. (The full list is at IANA: HTTP Authentication Schemes.)

WWW-Authenticate: Basic-> Authorization: Basic + token - Use for basic authentication
WWW-Authenticate: NTLM-> Authorization: NTLM + token (2 challenges)
WWW-Authenticate: Negotiate -> Authorization: Negotiate + token - used for Kerberos authentication
- By the way: IANA has this angry remark about Negotiate: This authentication scheme violates both HTTP semantics (being connection-oriented) and syntax (use of syntax incompatible with the WWW-Authenticate and Authorization header field syntax).

You can set the Authorization: Basic header only when you also have the WWW-Authenticate: Basic header on your 401 challenge.

But since you have WWW-Authenticate: Negotiate this should be the case for Kerberos based authentication.

score 37 · Accepted Answer · edited Oct 07 '21 at 07:34

37

The web server is prompting you for a SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token.

This is a Microsoft invention for negotiating a type of authentication to use for Web SSO (single-sign-on):

either NTLM
or Kerberos.

See:

Microsoft MSDN Library: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol
RFC 4178: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism

edited Oct 07 '21 at 07:34

Community

1
1

answered Dec 23 '10 at 00:20

zcopley

562
4
4

2

In one of the applications I am working with, the ADFS server is responding with two WWW-Authenticate header fields in the response with values WWW-Authenticate: Negotiate WWW-Authenticate: NTLM What does the first header with "Negotiate" mean? From fiddler how can figure out what authentication protocol ultimately gets used? – Andy Dufresne Jun 12 '14 at 10:34
2

Way too old comment. Replying for future readers. You can check the fiddler to verify which authentication mechanism is being used. I think your server is enabled with both Kerberos and NTLM authentication. From fiddler you can easily verify which authentication is being used. Check the header on your browser response to the 401 challenge (which is a request header). If that contains Authorization: NTLM + token then it's NTLM authentication. In case of Authorization: Negotiate + token it should be kerberos. Note NTLM has more than one 401 challenges. – Charith De Silva Nov 06 '14 at 03:37

Authentication issues with WWW-Authenticate: Negotiate

2 Answers2

Linked