HTTP Authentication type Negotiate in iOS client application
https://stackoverflow.com/questions/12647019
-
04-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is the "Negotiate" HTTP Authentication scheme supported in iOS apps?
I'm trying to access a server that uses this authentication scheme. I'm currently using the ASIHTTPRequest class, which internally uses the CFNetwork library. Authentication fails to happen, and tracing through the ASIHTTPRequest code I see that it fails after an CFHTTPAuthentication object that is created by calling the CFHTTPAuthenticationCreateFromResponse function fails a check with the CFHTTPAuthenticationIsValid function. The error returned is "kCFStreamErrorHTTPAuthenticationTypeUnsupported = -1000". The response that it uses to try to create the CFHTTPAuthentication has the "WWW-Authenticate = Negotiate" header. This makes me think that the Negotiate scheme is not supported. However the library documentation for CFHTTPAuthentication lists "kCFHTTPAuthenticationSchemeNegotiate" as "Available in iOS 2.0 and later".
Following is the relevant parts of the code from ASIHTTPRequest.m from the attemptToApplyCredentialsAndResume method.
// Read authentication data
if (!requestAuthentication) {
CFHTTPMessageRef responseHeader = (CFHTTPMessageRef) CFReadStreamCopyProperty((CFReadStreamRef)[self readStream],kCFStreamPropertyHTTPResponseHeader);
requestAuthentication = CFHTTPAuthenticationCreateFromResponse(NULL, responseHeader);
CFRelease(responseHeader);
[self setAuthenticationScheme:[(NSString *)CFHTTPAuthenticationCopyMethod(requestAuthentication) autorelease]];
}
//SNIP
// See if authentication is valid
CFStreamError err;
if (!CFHTTPAuthenticationIsValid(requestAuthentication, &err)) {
CFRelease(requestAuthentication);
requestAuthentication = NULL;
I'm also somewhat confused about the Negotiate scheme itself. As I understand it, it's supposed to try to use the Kerberos scheme if possible, and then fall back to the NTLM scheme if not. The NTLM scheme is supported on iOS, but this fallback doesn't seem to be happening, at least not in the way CFHTTPAuthenticationCreateFromResponse handles it.
Solution
There is no support for Kerberos on the iPhone. Negotiate falls back to NTLM but do not expect iOS to support a proprietary auth scheme. There may be exist third party implementations.
OTHER TIPS
Safari on iOS 7 supports Single Sign-On (SSO) via HTTP Negotiate:
To configure SSO, iOS supports a configuration profile payload that allows MDM servers to push down the necessary settings. This includes setting the user principal name (that is, the Active Directory user account) and Kerberos realm settings, as well as configuring which apps and/or Safari web URLs should be allowed to use SSO.
Source: iOS Security, Feb 2014 (page 18)
