EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TMG proxy - connection error 96269

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#30689
Posted: 09/11/2014 09:00:21
by Marko Žerajić (Basic support level)
Joined: 08/25/2014
Posts: 6

Hi,

I ran into some problems trying to set up TElHTTPTSPClient to connect to TSA server via TMG proxy. I always get SB_SOCKET_ERROR_WEBTUNNEL_NEGOTIATION_FAILED error. Here's the relevant code snippet, could you please let me know if there's anything else I have to set.

Code
IWebProxy proxy = WebRequest.GetSystemWebProxy();
            Uri tspUri = proxy.GetProxy(new Uri(Url));

            TElHTTPTSPClient tspClient = new TElHTTPTSPClient();
            tspClient.HTTPClient = new TElHTTPSClient();

            tspClient.HTTPClient.UseWebTunneling = true;
            tspClient.HTTPClient.WebTunnelAddress = tspUri.Host;
            tspClient.HTTPClient.WebTunnelPort = tspUri.Port;
            tspClient.HTTPClient.WebTunnelAuthentication = SBSocket.Unit.wtaNTLM;
#30693
Posted: 09/11/2014 13:17:04
by Eugene Mayevski (EldoS Corp.)

Thank you for the report.

1) Are you sure that NTLM authentication should be used (in opposite to anonymous authentication)?

2) seems that you want to use HTTP proxy as HTTPS proxy (which we call WebTunneling). Not all HTTP proxies serve CONNECT method (which is the core of HTTPS proxy). So again, are you sure that this is correct setup and that the proper address and port are used?

3) try connecting anywhere via that proxy with TElHTTPSClient - this will make debugging easier.


Sincerely yours
Eugene Mayevski
#30703
Posted: 09/12/2014 02:53:35
by Marko Žerajić (Basic support level)
Joined: 08/25/2014
Posts: 6

You're correct, our proxy is HTTP, not HTTPS. I've tried again, this time using your HTTPGet sample. I added following code:

Code
HTTPSClient.UseHTTPProxy = true;
HTTPSClient.UseNTLMAuth = true;
HTTPSClient.HTTPProxyPort = proxyUri.Port;
HTTPSClient.HTTPProxyHost = proxyUri.Host;


This was the output of retrieval attempt:
Quote

Sending headers:
GET HTTP://www.eldos.com:80/ HTTP/1.1
Host: www.eldos.com
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: Keep-Alive


Received headers:
HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 MCTMG01
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 3674


Sending headers:
GET HTTP://www.eldos.com:80/ HTTP/1.1
Host: www.eldos.com
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==


Received headers:
HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
Via: 1.1 MCTMG01
Proxy-Authenticate: NTLM TlRM...AAAA==
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0


Sending headers:
GET HTTP://www.eldos.com:80/ HTTP/1.1
Host: www.eldos.com
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Proxy-Authorization: NTLM TlRM...TwAA/G4TDuk1egmKrLppBctFrA==


Received headers:
HTTP/1.1 407 Proxy Authentication Required ( Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 MCTMG01
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: close
Proxy-Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 3674


-- Document started --
Html document from our proxy containing following error description:
Error Code: 407 Proxy Authentication Required. Forefront TMG requires authorization to fulfill the request. Access to the Web Proxy filter is denied. (12209).

Sending headers:
GET HTTP://www.eldos.com:80/ HTTP/1.1
Host: www.eldos.com
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==


Received headers:
HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )
Via: 1.1 MCTMG01
Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAEAAQADgAAAAVgoniVTUD0gA+heQA...AAAA==
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 0


-- Document started --
#30704
Posted: 09/12/2014 03:27:00
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Do you use the latest build? Please try to set login credential using TElHTTPSClient.HTTPProxyUsername/HTTPProxyPassword explicitly and check if this helps to connect.
#30705
Posted: 09/12/2014 03:57:32
by Marko Žerajić (Basic support level)
Joined: 08/25/2014
Posts: 6

I was using previous build, 12.0.258.0. I've downloaded the latest build and entered HTTPProxyUsername and HTTPProxyPassword, but I'm still getting the same result.
#30706
Posted: 09/12/2014 04:22:32
by Marko Žerajić (Basic support level)
Joined: 08/25/2014
Posts: 6

A small correction, previous attempt failed because I entered my username without domain name. After fixing that, I get connection error 96269 when attempting to connect to http://www.eldos.com. Error occurs after I get redirected to https.

Authentication on proxy seems to be working though, but storing username and password in code, or some config file is not a solution. Is there any way secureblackbox could obtain those from current user?
#30707
Posted: 09/12/2014 04:23:45
by Vsevolod Ievgiienko (EldoS Corp.)

We've checked NTLM implementation just a few days ago and it worked fine. We use WinAPI for NTLM support, so unfortunatelly possible problems are out of our control.

You can check proxy server logs for possible hints about the problem.
#30708
Posted: 09/12/2014 04:26:56
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
Is there any way secureblackbox could obtain those from current user?

SecureBlackbox does this when credentials are not set, but in your case it doesn't work for some reason. As I wrote above the reason is out of our control.
#30722
Posted: 09/15/2014 06:29:13
by Marko Žerajić (Basic support level)
Joined: 08/25/2014
Posts: 6

After checking proxy logs and examining Base64 string sent during authentication process, it seems that no user credentials are sent. Proxy server logs the authentication attempt as anonymous and rejects it.

If I enter my username and password into TElHTTPSClient manually, Proxy-Authorization string contains my username, machine name and domain information, but if I don't enter anything only machine name is included.

Do you have any suggestion on how to locate the source of this problem?
#30723
Posted: 09/15/2014 06:34:19
by Eugene Mayevski (EldoS Corp.)

Unfortunately NTLM authentication is performed by the OS and is completely outside of our control. From your log I can see that NTLM handshake does take place (and it is performed by the OS library), so we can't do anything if it doesn't work.

There will be build 260 available tomorrow with a fix of the bug in one string-handling function (the bug appeared in build 259). It's possible that this function somehow affects the handshake.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 2203 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!