Search code examples
iosasihttprequestkerberoshttp-authenticationnegotiate

HTTP Authentication type Negotiate in iOS client application

Is the "Negotiate" HTTP Authentication scheme supported in iOS apps?

I'm trying to access a server that uses this authentication scheme. I'm currently using the ASIHTTPRequest class, which internally uses the CFNetwork library. Authentication fails to happen, and tracing through the ASIHTTPRequest code I see that it fails after an CFHTTPAuthentication object that is created by calling the CFHTTPAuthenticationCreateFromResponse function fails a check with the CFHTTPAuthenticationIsValid function. The error returned is "kCFStreamErrorHTTPAuthenticationTypeUnsupported = -1000". The response that it uses to try to create the CFHTTPAuthentication has the "WWW-Authenticate = Negotiate" header. This makes me think that the Negotiate scheme is not supported. However the library documentation for CFHTTPAuthentication lists "kCFHTTPAuthenticationSchemeNegotiate" as "Available in iOS 2.0 and later".

Following is the relevant parts of the code from ASIHTTPRequest.m from the attemptToApplyCredentialsAndResume method. 

// Read authentication data
if (!requestAuthentication) {
    CFHTTPMessageRef responseHeader = (CFHTTPMessageRef) CFReadStreamCopyProperty((CFReadStreamRef)[self readStream],kCFStreamPropertyHTTPResponseHeader);
    requestAuthentication = CFHTTPAuthenticationCreateFromResponse(NULL, responseHeader);
    CFRelease(responseHeader);
    [self setAuthenticationScheme:[(NSString *)CFHTTPAuthenticationCopyMethod(requestAuthentication) autorelease]];
}

//SNIP

// See if authentication is valid
CFStreamError err;      
if (!CFHTTPAuthenticationIsValid(requestAuthentication, &err)) {

    CFRelease(requestAuthentication);
    requestAuthentication = NULL;

I'm also somewhat confused about the Negotiate scheme itself. As I understand it, it's supposed to try to use the Kerberos scheme if possible, and then fall back to the NTLM scheme if not. The NTLM scheme is supported on iOS, but this fallback doesn't seem to be happening, at least not in the way CFHTTPAuthenticationCreateFromResponse handles it.

Solution

  • There is no support for Kerberos on the iPhone. Negotiate falls back to NTLM but do not expect iOS to support a proprietary auth scheme. There may be exist third party implementations.