Hello, about two years ago I had to create a static archive of a large intranet site (SharePoint / IIS 7.0 with NTLM authentication) with an unprivileged user. I then noticed that a lot of pages / files haven't been downloaded.
Digging into that I found out that after a legitimate 401 Unauthorized for a single url (e.g. useredit.aspx) all following requests were failing too. The server tried to initiate a reauthentication, but wget failed with "Unexpected empty NTLM message" as it remained in the failed state. I learned that wgets ntlm implementation is based on curl, so I compared both source files. curl resolved the issue I had in their commit fe6049f [1]. There is also a related prior commit 50b87c4 [2]. I then manually applied these two changes for wget and was able to mirror the intranet site and noticed no drawbacks. Unfortunately I didn't send the patch here at that time but was reminded of it when I replaced my client hardware. Given that the said intranet server is now decommissioned I can no longer perform any tests with it. I also didn't look into the "make check" tests to recreate the problem I had. >From what I read in the meantime development of wget continued with wget2, which has no NTLM support, so I don't know if it makes sense to merge this patch into wget1. I just want to send the patch to you as others might have the same problem. As the picked commits come from curl I don't know the legal implications / licence compatibility. Also, there are a lot more changes in curls ntlm implementation which I didn't look into. Kind regards, André Wolski [1] https://github.com/curl/curl/commit/fe6049f04bf7eb0481ba030c0e78aae5cfd0209f [2] https://github.com/curl/curl/commit/50b87c4e689088fc3ddcf2fac163b75f839ef69a
From a74ba8209768103051e1b76ff0eba2711950f8c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Wolski?= <[email protected]> Date: Tue, 16 Aug 2016 14:44:34 +0200 Subject: [PATCH] NTLM restart authentication --- src/http-ntlm.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/http-ntlm.c b/src/http-ntlm.c index 56c40ae..4d94dfc 100644 --- a/src/http-ntlm.c +++ b/src/http-ntlm.c @@ -136,13 +136,24 @@ ntlm_input (struct ntlmdata *ntlm, const char *header) } else { - if (ntlm->state >= NTLMSTATE_TYPE1) + if (ntlm->state == NTLMSTATE_LAST) + { + DEBUGP (("NTLM auth restarted.\n")); + /* no return, continue */ + } + else if (ntlm->state == NTLMSTATE_TYPE3) + { + DEBUGP (("NTLM handshake rejected.\n")); + ntlm->state = NTLMSTATE_NONE; + return false; + } + else if (ntlm->state >= NTLMSTATE_TYPE1) { DEBUGP (("Unexpected empty NTLM message.\n")); return false; /* this is an error */ } - DEBUGP (("Empty NTLM message, starting transaction.\n")); + DEBUGP (("Empty NTLM message, (re)starting transaction.\n")); ntlm->state = NTLMSTATE_TYPE1; /* we should sent away a type-1 */ } -- 2.9.3.windows.1
