= Introduction

This library provides bindings to the Win32 SSPI libraries, which implement various security protocols for Windows. The library was primarily developed to give Negotiate/NTLM proxy authentication abilities to Net::HTTP, similar to support found in Internet Explorer or Firefox.

The libary is NOT an implementation of the NTLM protocol, and does not give the ability to authenticate as any given user. It is able to authenticate with a proxy server as the current user.

This project can be found on rubyforge at:


= Using with rubygems (and other libraries)

If RubyGems is not working because of proxy authorization errors, the rubysspi library can be used to solve the problem. The gem includes a file called <tt>spa.rb</tt> in the root directory. Copy this file to your site_ruby directory and then run the gem script directly:

ruby -rspa 'C:\Program Files\ruby\gem'

For example, to list remote gems that match "sspi" this command can be used

ruby -rspa 'C:\Program Files\ruby\gem' list --remote sspi

You must copy the <tt>spa.rb</tt> file yourself, however. Rubygems is not able to do it for you on install.

= Using with open-uri

To use the library with open-uri, make sure to set the environment variable +http_proxy+ to your proxy server. This must be a hostname and port in URL form. E.g.:


The library will grab your current username and domain from the environment variables +USERNAME+ and +USERDOMAIN+. This should be set for you by Windows already.

The library implements a patch on top of Net::HTTP, which means open-uri gets it too. At the top of your script, make sure to require the patch after <tt>open-uri</tt>:

require 'open-uri'
require 'win32/sspi/http_proxy_patch'

open("http://www.google.com") { |f| puts(f.gets(nil)) }

Note that this patch does NOT work with the +http_proxy_user+ and +http_proxy_password+ environment variables. The library will ONLY authenticate as the current user.

= Using with Net::HTTP

Net::HTTP will not use the proxy server supplied in the environment variable automatically, so you have to supply the proxy address yourself. Otherwise, it's exactly the same:

require 'net/http'
require 'win32/sspi/http_proxy_patch'

Net::HTTP::Proxy("proxy.corp.com", 8080).start("www.google.com") do |http|
resp = http.request_get "/"
puts resp.body

= Using rubysspi directly

As stated, the library is geared primarily towards supporting Negotiate/NTLM authentication with proxy servers. In this vein, you can manually authenticate a given HTTP connection with a single call:

require 'win32/sspi'

Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
resp = SSPI::NegotiateAuth.proxy_auth_get http, "/"

The +resp+ variable will contain the response from Google, with any proxy authorization necessary taken care of automatically. Note that if the +http+ connection is not closed, any subsequent requests will NOT require authentication.

If the above method is used, you should NOT require the 'win32/sspi/http_proxy_patch' library, as the interaction between the two will fail.

The library can be used directly to generate tokens appropriate for the current user, too.

To get started, first create an instance of the SSPI::NegotiateAuth class:

require 'win32/sspi'

n = SSPI::NegotiateAuth.new

Next, get the first token by calling get_initial_token:

token = n.get_initial_token

This token returned will be Base64 encoded and can be directly placed in an HTTP header. This token can be easily decoded, however, and is usually an NTLM Type 1 message.

After getting a response from the server (usually an NTLM Type 2 message), pass it into the complete_authentication:

token = n.complete_authentication(server_token)

Note that server_token can be Base64 encoded or not, and if it starts with "Negotiate", that phrase will be stripped off. This allows the response from a Proxy-Authentication header to be passed into the method directly. The token can be decoded externally and passed in, too.

The token returned (usually an NTLM Type 3) message can then be sent to the server and the connection should be authenticated.

= Patching Ruby

A short script to patch Net::HTTP is also included. This patch will give the Net::HTTP (and consequently, open-uri) the ability to directly authenticate with Negotiate/NTLM proxy servers. The main advantage of patching Ruby itself is that other scripts, such as gems, will work directly with these proxy servers and will not require running with the 'spa' library. Similarly, any scripts which use open-uri or Net::HTTP will gain the ability to authenticate with the proxy server.

To run the script, just run <tt>apply_sspi_patch</tt>. The backup will be made of the original 'http.rb' file, and a new patched file will be copied in. After patching, run the test script 'test\test_patched_net_http.rb'. It ensures that proxy authentication now works without extra libraries.

Be aware - this has only been tested on Ruby 1.8.4 and 1.8.5. Though the Net::HTTP libraries are not likely to change much, do some testing afterwards.

If you want the patch disabled for a certain script, just define the constant DISABLE_RUBY_SSPI_PATCH at the top level. If you want to back the patch out, go to the ruby library directory, open the net folder, and rename the file called "http.orig.X.rb" (where X is some number) to http.rb. If the patch has been applied multiple times, uses the lowest "X" found.

= Upgrading to a new version of the library

If you have installed the RubySSPI library previously, and wish to upgrade to a new version, follow these steps:

* Install the new version of the gem
* If you applied the patch before, go to your Ruby library directory (under the One-click installer, its usually ruby\lib\ruby\1.8):
* If any http.orig.N.rb files exist (where N is a number), then delete http.rb and rename the lowest http.orig.N.rb file to http.rb
* Delete any other nttp.orig.N.rb files.
* Run "apply_sspi_patch" to apply the patch again

= Disabling proxy for certain servers

Sometimes it is necessary to NOT use the proxy for certain addresses, especially in a LAN environment. While not a feature directly provided by this library, setting the 'no_proxy' environment variable to a list of servers will ensure no proxy connection is made for them. The list should be comma-delimited, and can consist of any mix of domain names and ports. URLs, however, are not allowed. For example "somehost, somehost.corporate.com, myhost:9000, myhost.corporate.com:80" would all be legal. Note that if a port is NOT specified, then no proxying occurs for that host regardless of the port requested by open-uri.

Finally, the above technique will only work with the open-uri library. Net::HTTP will not use a proxy automatically in any case.

= Thanks & References

Many references were used in decoding both NTLM messages and integrating with the SSPI library. Among them are:

* Managed SSPI Sample - A .NET implementation of a simple client/server using SSPI. A complex undertaking but provides a great resource for playing with the API.
* http://msdn.microsoft.com/library/?url=/library/en-us/dndotnet/html/remsspi.asp?frame=true
* John Lam's RubyCLR - http://www.rubyclr.com
* Originally, I used RubyCLR to call into the Managed SSPI sample which really helped me decode what the SSPI interface did and how it worked. I did not end up using that implementation but it was great for research.
* The NTLM Authentication Protocol - The definitive explanation for the NTLM protocol (outside MS internal documents, I presume).
* http://davenport.sourceforge.net/ntlm.html
* Ruby/NTLM - A pure Ruby implementation of the NTLM protocol. Again, not used in this project but invaluable for decoding NTLM messages and figuring out what SSPI was returning.
* http://rubyforge.org/projects/rubyntlm/
* Seamonkey/Mozilla NTLM implementation - The only source for an implementation in an actual browser. How they figured out how to use SSPI themselves is beyond me.
* http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgProtocol.cpp#899

And of course, thanks to my Lord and Savior, Jesus Christ. In the name of the Father, the Son, and the Holy Spirit.