rejected NTLM challenge

[tobwen]

Describe the bug
While trying to connect to a WebDAV server, I'm getting this error message:

Could not authenticate to server: ignoring empty Negotiate continuation, rejected NTLM challenge

Environment

• neon version: 7f7c94e
• OS: Debian
• SSL library version: OpenSSL 1.1.1n
• davfs2 recompiled to use latest libneon

To Reproduce

mount -t davfs https://fsstud.ruhr-uni-bochum.de/<hidden> /mnt/rub/

Debugging output
Please instruct me how to.

[notroj]

If the server requires authentication, are you providing it somehow? I don't know how davfs works, I'd recommend starting by talking to the community of that project.

[tobwen]

WinSCP suffers from the same issue and also uses neon - even with the same error message.

Since the WinSCP community is way more "easy to handle" than the Debian one (which seems to maintain a fork a davfs), I'll report a bug over there. Closed for now.

[martinprikryl]

You know that the problem is between neon and the server. So why would you report the bug on WinSCP?

[tobwen]

You know that the problem is between neon and the server. So why would you report the bug on WinSCP?

Since they (you) are capable to analyse and discuss the problem, I'm not. I'm a user only, I can report it, do some tests, etc.

[notroj]

If you want to move this forward I suggest you configure current versions of cadaver and neon built with --enable-debugging and provide debug output with set debug http,httpauth in cadaver. Otherwise there's not much anybody can do to help.

[tobwen]

Here we go:

MYLOGINNAME and BASE64_TOKEN_113_CHARS are censored.
BASE64_TOKEN_113_CHARS starts with NTLMSSP => https://en.wikipedia.org/wiki/NTLMSSP

# ./cadaver
dav:!> set debug http,httpauth
dav:!> open https://fsstud.ruhr-uni-bochum.de/MYLOGINNAME
HTTP session to https://fsstud.ruhr-uni-bochum.de:443 begins.
auth: Create for WWW-Authenticate
Running pre_send hooks
Sending request headers:
OPTIONS /MYLOGINNAME/ HTTP/1.1
User-Agent: cadaver/0.24 neon/0.32.4
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Host: fsstud.ruhr-uni-bochum.de

Sending request-line and headers:
Doing DNS lookup on fsstud.ruhr-uni-bochum.de...
req: Connecting to 134.147.64.4:443
Request sent; retry is 0.
[status-line] < HTTP/1.1 200 OK
[hdr] Allow: OPTIONS, TRACE, GET, HEAD, POST, LOCK, UNLOCK
Header Name: [allow], Value: [OPTIONS, TRACE, GET, HEAD, POST, LOCK, UNLOCK]
[hdr] Server: Microsoft-IIS/10.0
Header Name: [server], Value: [Microsoft-IIS/10.0]
[hdr] Public: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
Header Name: [public], Value: [OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK]
[hdr] DAV: 1,2,3
Header Name: [dav], Value: [1,2,3]
[hdr] MS-Author-Via: DAV
Header Name: [ms-author-via], Value: [DAV]
[hdr] Date: Wed, 11 Jan 2023 18:07:25 GMT
Header Name: [date], Value: [Wed, 11 Jan 2023 18:07:25 GMT]
[hdr] Content-Length: 0
Header Name: [content-length], Value: [0]
[hdr]
End of headers.
Running post_headers hooks
Running post_send hooks
auth: Post-send (#0), code is 200 (want 401), WWW-Authenticate is (none)
Request ends, status 200 class 2xx, error line:
200 OK
Running destroy hooks.
Request ends.
auth: Create for WWW-Authenticate
Running pre_send hooks
Sending request headers:
PROPFIND /MYLOGINNAME/ HTTP/1.1
User-Agent: cadaver/0.24 neon/0.32.4
Connection: TE
TE: trailers
Host: fsstud.ruhr-uni-bochum.de
Depth: 0
Content-Length: 288
Content-Type: application/xml

Sending request-line and headers:
Sending request body:
Request sent; retry is 1.
[status-line] < HTTP/1.1 401 Unauthorized
[hdr] Content-Type: text/html
Header Name: [content-type], Value: [text/html]
[hdr] Server: Microsoft-IIS/10.0
Header Name: [server], Value: [Microsoft-IIS/10.0]
[hdr] WWW-Authenticate: Negotiate
Header Name: [www-authenticate], Value: [Negotiate]
[hdr] WWW-Authenticate: NTLM
Header Name: [www-authenticate], Value: [NTLM]
[hdr] Date: Wed, 11 Jan 2023 18:07:25 GMT
Header Name: [date], Value: [Wed, 11 Jan 2023 18:07:25 GMT]
[hdr] Content-Length: 1293
Header Name: [content-length], Value: [1293]
[hdr]
End of headers.
Running post_headers hooks
Reading 1293 bytes of response body.
Got 1293 bytes.
Running post_send hooks
auth: Post-send (#0), code is 401 (want 401), WWW-Authenticate is Negotiate, NTLM
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Got 'NTLM' challenge.
auth: Trying Negotiate challenge...
auth: Trying NTLM challenge...
auth: NTLM challenge.
Authentication required for (null) on server `fsstud.ruhr-uni-bochum.de':
Username: [email protected]
Password:
auth: Accepted NTLM challenge.
Running pre_send hooks
auth: Sending 'NTLM' response.
Sending request headers:
PROPFIND /MYLOGINNAME/ HTTP/1.1
User-Agent: cadaver/0.24 neon/0.32.4
Connection: TE
TE: trailers
Host: fsstud.ruhr-uni-bochum.de
Depth: 0
Content-Length: 288
Content-Type: application/xml
Authorization: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Sending request-line and headers:
Sending request body:
Request sent; retry is 1.
[status-line] < HTTP/1.1 401 Unauthorized
[hdr] Content-Type: text/html; charset=us-ascii
Header Name: [content-type], Value: [text/html; charset=us-ascii]
[hdr] Server: Microsoft-HTTPAPI/2.0
Header Name: [server], Value: [Microsoft-HTTPAPI/2.0]
[hdr] WWW-Authenticate: NTLM BASE64_TOKEN_113_CHARS
Header Name: [www-authenticate], Value: [NTLM BASE64_TOKEN_113_CHARS]
[hdr] Date: Wed, 11 Jan 2023 18:07:34 GMT
Header Name: [date], Value: [Wed, 11 Jan 2023 18:07:34 GMT]
[hdr] Content-Length: 341
Header Name: [content-length], Value: [341]
[hdr]
End of headers.
Running post_headers hooks
Reading 341 bytes of response body.
Got 341 bytes.
Running post_send hooks
auth: Post-send (#1), code is 401 (want 401), WWW-Authenticate is NTLM BASE64_TOKEN_113_CHARS
auth: Got challenge (code 401).
auth: Got 'NTLM' challenge.
auth: NTLM opaque parameter 'BASE64_TOKEN_113_CHARS'
auth: Trying NTLM challenge...
auth: NTLM challenge.
auth: Accepted NTLM challenge.
Running pre_send hooks
auth: Sending 'NTLM' response.
Sending request headers:
PROPFIND /MYLOGINNAME/ HTTP/1.1
User-Agent: cadaver/0.24 neon/0.32.4
Connection: TE
TE: trailers
Host: fsstud.ruhr-uni-bochum.de
Depth: 0
Content-Length: 288
Content-Type: application/xml
Authorization: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Sending request-line and headers:
Sending request body:
Request sent; retry is 1.
[status-line] < HTTP/1.1 401 Unauthorized
[hdr] Content-Type: text/html
Header Name: [content-type], Value: [text/html]
[hdr] Server: Microsoft-IIS/10.0
Header Name: [server], Value: [Microsoft-IIS/10.0]
[hdr] WWW-Authenticate: Negotiate
Header Name: [www-authenticate], Value: [Negotiate]
[hdr] WWW-Authenticate: NTLM
Header Name: [www-authenticate], Value: [NTLM]
[hdr] Date: Wed, 11 Jan 2023 18:07:34 GMT
Header Name: [date], Value: [Wed, 11 Jan 2023 18:07:34 GMT]
[hdr] Content-Length: 1293
Header Name: [content-length], Value: [1293]
[hdr]
End of headers.
Running post_headers hooks
Reading 1293 bytes of response body.
Got 1293 bytes.
Running post_send hooks
auth: Post-send (#2), code is 401 (want 401), WWW-Authenticate is Negotiate, NTLM
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Got 'NTLM' challenge.
auth: Trying Negotiate challenge...
auth: Trying NTLM challenge...
auth: NTLM challenge.
Authentication required for (null) on server `fsstud.ruhr-uni-bochum.de':
Username: [email protected]
Password:
auth: Accepted NTLM challenge.
Running pre_send hooks
auth: Sending 'NTLM' response.
Sending request headers:
PROPFIND /MYLOGINNAME/ HTTP/1.1
User-Agent: cadaver/0.24 neon/0.32.4
Connection: TE
TE: trailers
Host: fsstud.ruhr-uni-bochum.de
Depth: 0
Content-Length: 288
Content-Type: application/xml
Authorization: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Sending request-line and headers:
Sending request body:
Request sent; retry is 1.
[status-line] < HTTP/1.1 401 Unauthorized
[hdr] Content-Type: text/html; charset=us-ascii
Header Name: [content-type], Value: [text/html; charset=us-ascii]
[hdr] Server: Microsoft-HTTPAPI/2.0
Header Name: [server], Value: [Microsoft-HTTPAPI/2.0]
[hdr] WWW-Authenticate: NTLM BASE64_TOKEN_113_CHARS
Header Name: [www-authenticate], Value: [NTLM BASE64_TOKEN_113_CHARS]
[hdr] Date: Wed, 11 Jan 2023 18:07:44 GMT
Header Name: [date], Value: [Wed, 11 Jan 2023 18:07:44 GMT]
[hdr] Content-Length: 341
Header Name: [content-length], Value: [341]
[hdr]
End of headers.
Running post_headers hooks
Reading 341 bytes of response body.
Got 341 bytes.
Running post_send hooks
auth: Post-send (#3), code is 401 (want 401), WWW-Authenticate is NTLM BASE64_TOKEN_113_CHARS
auth: Got challenge (code 401).
auth: Got 'NTLM' challenge.
auth: NTLM opaque parameter 'BASE64_TOKEN_113_CHARS'
auth: Trying NTLM challenge...
auth: NTLM challenge.
auth: Accepted NTLM challenge.
Running pre_send hooks
auth: Sending 'NTLM' response.
Sending request headers:
PROPFIND /MYLOGINNAME/ HTTP/1.1
User-Agent: cadaver/0.24 neon/0.32.4
Connection: TE
TE: trailers
Host: fsstud.ruhr-uni-bochum.de
Depth: 0
Content-Length: 288
Content-Type: application/xml
Authorization: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Sending request-line and headers:
Sending request body:
Request sent; retry is 1.
[status-line] < HTTP/1.1 401 Unauthorized
[hdr] Content-Type: text/html
Header Name: [content-type], Value: [text/html]
[hdr] Server: Microsoft-IIS/10.0
Header Name: [server], Value: [Microsoft-IIS/10.0]
[hdr] WWW-Authenticate: Negotiate
Header Name: [www-authenticate], Value: [Negotiate]
[hdr] WWW-Authenticate: NTLM
Header Name: [www-authenticate], Value: [NTLM]
[hdr] Date: Wed, 11 Jan 2023 18:07:44 GMT
Header Name: [date], Value: [Wed, 11 Jan 2023 18:07:44 GMT]
[hdr] Content-Length: 1293
Header Name: [content-length], Value: [1293]
[hdr]
End of headers.
Running post_headers hooks
Reading 1293 bytes of response body.
Got 1293 bytes.
Running post_send hooks
auth: Post-send (#4), code is 401 (want 401), WWW-Authenticate is Negotiate, NTLM
auth: Got challenge (code 401).
auth: Got 'Negotiate' challenge.
auth: Got 'NTLM' challenge.
auth: Trying Negotiate challenge...
auth: Trying NTLM challenge...
auth: NTLM challenge.
auth: No challenges accepted.
Request ends, status 401 class 4xx, error line:
Could not authenticate to server: ignoring empty Negotiate continuation, rejected NTLM challenge
Running destroy hooks.
Request ends.
Could not access /MYLOGINNAME/ (not WebDAV-enabled?):
Could not authenticate to server: ignoring empty Negotiate continuation, rejected NTLM challenge
sess: Destroying session.
Connection to `fsstud.ruhr-uni-bochum.de' closed.

[igmar]

Was this issue ever resolved ? I have a similar setup failing.

[igmar]

I suspect this rejection is due to MS doing some things. I've asked the admin of the Sharepoint service to have a look at the IIS logs to see if it tells why it gets rejected. That might provide some additional info where to start looking.

[igmar]

Ok, the issue is clear :

What davfs sends :

$ ntlm_decoder "TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA="
Type 1 message
Flags :
Negotiate OEM
Negotiate NTLM

What curl sends :

$ ntlm_decoder "TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA="
Type 1 message
Flags :
Negotiate OEM
Request Target
Negotiate NTLM
Negotiate Always Sign
Negotiate NTLM2 Key

Recent IIS security setups require NTLMv2 and signing, and that is also a requirement if you have password > 14 chars.

I'll cook up a patch for this in the next weeks.

[notroj]

Thanks @igmar for the detailed analysis.