Phantomjs: NTLM auth support

_[email protected] commented:_

If you can suggest any work-arounds in the interim, please do so, thanks.

Any news on this? I would really like to have NTLM authentication :-)

PhantomJS support NTLMv2 authentication.

Use page.settings to provide values for username/password
Doc: https://github.com/ariya/phantomjs/wiki/API-Reference-WebPage#wiki-webpage-settings

@Vitallium: I would assume the intent of this was for _integrated_ NTLM authentication, i.e. automatically use the credentials of the user that is executing the PhantomJS process.

@willemmulder @sjrosent @arthurva: Can you guys clarify if that was your intent, or is the mechanism that Vitaliy mentioned enough to meet your needs?

Hmm, I use http://casperjs.org/api.html#casper.setHttpAuth from CasperJS to set the http auth headers. They should do the same as https://github.com/ariya/phantomjs/wiki/API-Reference-WebPage#wiki-webpage-settings (although I did not try that yet)... But what I get is "the requested method is not supported".

I did not necessarily mean for integrated NTLM authentication, but the topic starter might :-)

@JamesMGreene Qt 4.8.4 doesn't support automatic NTLM authentication :(

@willemmulder NTLM authentication doesn't use any of these HTTP headers: HTTP_AUTH_USER or HTTP_AUTH_PW.
It uses the Authorization HTTP header.

UPD
Never mind, CasperJS sets it in the right way.

UPD2
@willemmulder Did you try to provide the username with the domain value, e.g. mydomain\\username?

http://darrendev.blogspot.jp/2013/04/phantomjs-post-auth-and-timeouts.html
here is a blog said there is a bug when setting username and password with GET request and it suggest use

page.customHeaders={'Authorization': 'Basic '+btoa('username:password')}

to fix it. But the problem is I don't know how to build NTLM encoding string.

That might work for Basic authentication, but I assume it doesn't work for NTLM authentication...?

@willemmulder correct. I tested it against NTLM appliaction, it failed. And cant find how to generate NTLM encoding after google.

Yeah, too bad... Just wait until it is supported, I guess...!

http://fabricasapiens.nl
voor websites

2013/4/12 raykin [email protected]

@willemmulder https://github.com/willemmulder correct. I tested it
against NTLM appliaction, it failed. And cant find how to generate NTLM
encoding after google.

—
Reply to this email directly or view it on GitHubhttps://github.com/ariya/phantomjs/issues/11037#issuecomment-16282767
.

A google for NTLM authentication will give you plenty of resources, but it's not simple.

Any progress on this? Without NTLM support PhantomJS is a dead end in the enterprise market.

@BigBadOwl A multi-million-dollar enterprise organization also has another choice: contribute to this project (which is _free_ to use by everyone, including such enterprise entities) to ensure that NTLM works well.

@ariya You are of course quite correct. If it meant enough to a big company to have NTLM support, then they could pay a developer with the knowledge and skills to do the work. Unfortunately, I am only using PhantomJS to automate some of my tasks to make my life easier, not something my company would shell out for I'm afraid. Thanks for PhantomJS BTW, it is awesome and most appreciated.

I have similar requirement where in my enterprise I am behind a firewall with NTLM/Kerberos authentication configured. None of the options --proxy-auth worked for me and I understood there is no NTLM support as of now. I am using PhantomJS 1.9.1. So, I am using a work-around for this by setting a local proxy on my machine (i used OWASP ZAP proxy). I configured my external proxy credentials in the ZAP, and passed my localhost zap proxy url with --proxy=localhost:8080 (i configured zap to run on port 8080 default). It worked like a gem and I am able to connect to external sites as ZAP is capable of doing NTLM authentication. I faced issue with https (SSL) sites later. But I understand the root cause is that the dynamic certificate created by ZAP is not getting validated. So, the moment i put --ignore-ssl-errors=yes, again I got the SSL sites content like a gem. Hope this work around help others too. I am newbie and today is firstday with phantomjs so, I am unaware of any other inbuilt options available to achieve this same instead of taking this workaround.

@ariya I want to confirm that {"WWW-Authenticate" : "Negotiate [token]"} header is not supported. I tried to manually create a token and set the header, but the http response gives "null" status and empty contents.

Does that mean this header entry is discarded from the request? Thanks.

For my previous comment, I was wrong. Actually the Kerberos header is accepted. Only the format is:
page.customHeaders = {"Authorization": "Negotiate " + [token]};

To test, I accessed a kerberos website using OWASP ZAP to log all the request and response (thanks to @pkbharigopal ), and get the token from request header. Immediately copy the token to phantomjs and it worked!

However, the hard part is to automatically generate the token, you can use following packages:
openssl/x509.h
gssapi/gssapi.h
gssapi/gssapi_krb5.h
And a method named: gss_init_sec_context(...);

Has this been closed? There still does not appear to be NTLM authentication. Thanks

@tariqporter - it is not closed, it is still open. Verkurkie referenced a different issue. That one is closed.

@Vitallium, @JamesMGreene, from the follow-up discussion I take it that neither "automatic"/"integrated" NTLM authentication, nor NTML authentication in any form is currently supported. Escpecially after reading @raykin's comments. Is that correct?

@darkroastjava PhantomJS 2 has support for NTLM authentication. PhantomJS 1 doesn't.

just tried https://github.com/sdesalas/trifleJS and windows auth works since it's using IE.

I'm using Phantomjs v2.0. Is there any example of passing username, password and domain for the NTLM authentication. So far, I'm not able to get a screen capture working for NTLM using phantomjs.

Hi @rajeshpaddy , just use: "http://username:password@localhost/myapp" as the URL for your request. Worked for me.

Hi, I have the same problem that @pkbharigopal :

In my enterprise I am behind a firewall with NTLM/Kerberos authentication configured. None of the options --proxy-auth, --proxy worked for me. I am using PhantomJS 2.0.

Checkout triflejs. It solved my authentication problem.

Sorry @rajeshpaddy,

I do not understand if I have to use the "triflejs" project or watch the piece of code to solve the connection problem

Hi Everyone,

Nobody knows answer to my problem (or question ) ?

You can manipulate request header to send Kerberos token to hit Kerberized web pages from PhantomJS. Using below -
page.customHeaders = {"Authorization": "Negotiate " + [token]};

Also I had to change cli args to --ignore-ssl-error = true to get it working.

Use https://docs.oracle.com/javase/7/docs/api/org/ietf/jgss/GSSManager.html and https://docs.oracle.com/javase/7/docs/api/org/ietf/jgss/GSSContext.html to generate Kerberos token.

I've gotten phantomjs to work with ntlm authentication using the cntlm proxy. The method that I used is detailed below if that would be helpful to anyone else encountering this issue. http://stackoverflow.com/questions/31209449/cntlm-proxy-with-phantomjs

@itslittlejohn :+1: Thanks for sharing!

This is more than possible to implement kerberos authentication in phantomJS using https://github.com/christkv/kerberos.

And I haven't tried it, but @vaishali33's solution looks like the only straightforward one.

Due to our very limited maintenance capacity (see #14541 for more details), we need to prioritize our development focus on other tasks. Therefore, this issue will be automatically closed. In the future, if we see the need to attend to this issue again, then it will be reopened. Thank you for your contribution!