Server Authentication

The following urlcp settings control authentication information sent to the web server (e.g. for restricted-access pages):

  • authenticateservermutually (boolean)

    Whether to attempt to also mutually authenticate the server during a 401 Unauthorized authentication transaction. Experimental; may not be supported; may change or be dropped in future releases. Only supported in Negotiate authentication. Added in version 7.04. Default off.

  • authschemes [add|del|set] [$schemes ...]  

    Sets which authentication schemes to use. $schemes can be one or more of anonymous (i.e. none), FTP, Basic, file, Negotiate, NTLM, NTLMv1 or NTLMv2. (Authentication via SSL client certificates is handled at the SSL not HTTP level; see the sslcertificatefile setting, here.) NTLM is an alias for both NTLMv1 and NTLMv2 together. Returns previous list. The default is all of the above, except for NTLMv1 (and Negotiate, if not supported on current platform) . If the first value of the first argument is add, the given list will be added to the allowed list; if del, deleted from; if set, cleared and set (the default). Added in version 5.1. NTLMv2 support was added in version 5.01.1213917000 20080619; previously, NTLM meant NTLMv1 only, and the NTLMv1 and NTLMv2 settings did not exist. Negotiate was added in version 7.04, and is only supported under Linux 2.6 and later. Under Windows, Negotiate might be supported via <urlcp netmode sys>.

    If both NTLMv1 and NTLMv2 are enabled, NTLMv2 will be attempted first, then NTLMv1 if that fails. NTLMv2 is more secure than NTLMv1, and is supported by servers running Windows NT4 SP4 or later OSes. Note: Windows servers or domain controllers which have the Local Security policy Network security: LAN Manager authentication level set to "Send NTLMv2 response only/refuse LM & NTLM" (or the registry setting lmCompatibilityLevel set to 5) will only accept NTLMv2, and will thus require NTLMv2 to be enabled. With NTLMv2 disabled via <urlcp>, such servers will reject a <fetch> (even with proper credentials) with 401 Unauthorized or 500 Internal Server Error.

    Similarly, certain Samba implementations or configurations (as servers or domain controllers) may only understand NTLMv1, and may return 401 Unauthorized unless NTLMv1 is specifically enabled via this setting.

  • ntlm128bitencryption (string or integer) Sets whether to negotiate 128-bit encryption during NTLM session security, for NTLMv1 and NTLMv2 authentication. The value is one of:

    • ignore Do not request or do 128-bit encryption

    • accept Do not request 128-bit encryption, but accept if peer offers

    • request Request 128-bit encryption, but optionally

    • require Request 128-bit encryption, and fail with error if peer refuses to do 128-bit

    Returns previous setting, as an integer 0-15 (bits 0-1 apply to NTLMv1, bits 2-3 apply to NTLMv2). Added in version 5.01.1222370000 20080925. Note that only flag negotiation is currently supported, as full NTLM session security is not used in NTLM over HTTP. The default is ignore.

  • ntlmntlmv2sessionsecurity (string or integer) Sets whether to negotiate NTLMv2 session security during NTLMv1 and NTLMv2 authentication. Same values accepted and returned as for ntlm128bitencryption. Added in version 5.01.1222370000 20080925.

    Enabling NTLMv2 session security can prevent a 500 Internal Server Error response when accessing Windows servers whose Local Security policy for Network security: Minimum session security for NTLM SSP based (including secure RPC) servers is set to include "Require NTLMv2 session security". Thus, the default for this setting is request.

  • ntlmsealing (string or integer) Sets whether to negotiate NTLM sealing (message confidentiality) during NTLMv1 and NTLMv2 authentication. Same values accepted and returned as for ntlm128bitencryption. Added in version 5.01.1222370000 20080925. Note that only flag negotiation is currently supported, as NTLM sealing is not used in NTLM over HTTP. The default is ignore.

  • ntlmsigning (string or integer) Sets whether to negotiate NTLM signing (message integrity) during NTLMv1 and NTLMv2 authentication. Same values accepted and returned as for ntlm128bitencryption. Added in version 5.01.1222370000 20080925. Note that only flag negotiation is currently supported, as NTLM signing is not used in NTLM over HTTP. The default is ignore.

  • ntlmv1128bitencryption (string or integer) ntlmv1ntlmv2sessionsecurity (string or integer) ntlmv1sealing (string or integer) ntlmv1signing (string or integer) Same as ntlm... settings, but only affecting NTLMv1 transactions, not NTLMv2. Return value is previous setting, as integer 0-7. Added in version 5.01.1222370000 20080925.

  • ntlmv2128bitencryption (string or integer) ntlmv2ntlmv2sessionsecurity (string or integer) ntlmv2sealing (string or integer) ntlmv2signing (string or integer) Same as ntlm... settings, but only affecting NTLMv2 transactions, not NTLMv1. Return value is previous setting, as integer 0-7. Added in version 5.01.1222370000 20080925.

  • pass (string) Sets the password to use when accessing documents. The default is "user@host" for FTP, none for other protocols.

  • proxypass (string) Sets the proxy password to use when accessing documents via a proxy. The default is none. Added in version 4.01.1031169922 20020904.

  • proxyuser (string) Sets the proxy user to use when accessing documents via a proxy (the Proxy-Authorization: Basic header). The default is none. Added in version 4.01.1031169922 20020904.

  • saslmechanisms [add|del|set] [$mechanisms ...]  

    Set or alter the list of SASL mechanisms to enable. The SASL API is used for Negotiate HTTP authentication on Unix platforms (where supported). The default list is GSSAPI, which supports Kerberos. The possible mechanism values depend on the SASL implementation, and typically include GSSAPI, NTLM and others; call <urlinfo saslmechanismsavailable> (here) to obtain the list. (Note that NTLM here refers to a SASL mechanism under WWW-Authenticate: Negotiate HTTP authentication, not WWW-Authenticate: NTLM HTTP authentication.) If the first value of the first argument is add, the given list will be added to the allowed list; if del, deleted from; if set, cleared and set (the default). Added in version 7.04. Returns 1 on success, 0 on error (e.g. SASL not supported on platform). Note that invalid mechanisms may not be detected until a fetch using the SASL API is run. A putmsg is generated if SASL is not supported on the current platform.

  • saslpluginpath (string)  

    Sets the colon-separated path of directories to look for SASL plugins. The SASL API is used for Negotiate HTTP authentication on Unix platforms (where supported). The default is the etc/sasl/lib/sasl2 subdir of the Texis install dir. Added in version 7.04. Returns 1 on success, 0 on error (e.g. SASL not supported on platform). Note that an invalid path may not be detected until a fetch using the SASL API is run. A putmsg is generated if SASL is not supported on the current platform.

  • sendlmresponse (boolean) Whether to send the LM response in NTLM authentication responses. The LM response is used for backwards-compatibility with older Windows servers and domain controllers, but is considered less secure if the NTLMv1 protocol is used (NTLMv2 is used by default). On by default. Added in version 5.01.1213740000 20080617.

  • sendntlmresponse (boolean) Whether to send the NTLM response in NTLM authentication responses. On by default. Added in version 5.01.1213740000 20080617.

  • sspipackages [add|del|set] [$packages ...]  

    Set or alter the list of SSPI packages to enable. The SSPI API is used for Negotiate HTTP authentication on Windows platforms. The default list is empty, which supports Kerberos and NTLM. The possible package values depend on the SSPI implementation; call <urlinfo sspipackagesavailable> (here) to obtain the list. (Note that NTLM here refers to an SSPI package under WWW-Authenticate: Negotiate HTTP authentication, not WWW-Authenticate: NTLM HTTP authentication.) If the first value of the first argument is add, the given list will be added to the allowed list; if del, deleted from; if set, cleared and set (the default). Added in version 7.04. Returns 1 on success, 0 on error (e.g. SSPI not supported on platform). Note that invalid packages may not be detected until a fetch using the SSPI API is run. A putmsg is generated if SSPI is not supported on the current platform (e.g. non-Windows).

    Note that Negotiate authentication using SSPI is not fully implemented yet; this (and other SSPI) functions may not yet work correctly or may be updated/changed in future releases.

  • user (string) Sets the user to use when accessing documents (e.g. Basic or NTLM authentication for HTTP pages, login user for FTP documents, LogonUser() for file:// documents). The default is "anonymous" for FTP, none for other protocols.

    Windows file:// user/pass support was added in version 5.01.1123050000 20050803. For file:// URLs, the Windows operating system requires that the user specified must have Log on as a batch job permission, and the source user (the user running the Vortex script and calling <fetch>, typically I_USR if from a web server) must have Act as part of the operating system permission. Note: before changing these permissions, discuss the security implications with your system administrator. Lack of the former permission may result in Win32 error 1385 (ERROR_LOGON_TYPE_NOT_GRANTED: "Logon failure: the user has not been granted the requested logon type at this computer"), whereas lack of the latter permission may result in Win32 error 1314 (ERROR_PRIVILEGE_NOT_HELD: "A required privilege is not held by the client").


Copyright © Thunderstone Software     Last updated: Dec 10 2018
Copyright © 2019 Thunderstone Software LLC. All rights reserved.