[Zope3-Users] Re: NTLM credential plugin

Philipp von Weitershausen philipp at weitershausen.de
Wed Sep 13 02:30:22 EDT 2006

Simon Hang wrote:
> Hi,
> I'm thinging to write a NTLM credential plugin for zope3. But as I know, 
> ntlm use 4-way handshake procedure, that means it needs two round-trips 
> between server(zope3) and client(browser).
> When I look in the credential plugins, it has challenge mothed. But 
> seems it is only design for 1 round-trip protocol. It can issue one 
> challenge, and return to parent script.

I don't see how the PAU only allows one "round-trip". The PAU will use 
the credentials-plugin to challenge the user when an Unauthorized 
exception occurs.

1. The first time your challenge method is called, you set the 
WWW-Authenticate: NTLM header (like the HTTP Basic Auth plug-in sets the 
WWW-Authenticate: Basic header).

2. Then the client sends the type 1 message which you extract in 
extractCredentials and raise Unauthorized *again*.

3. THat means your challenge method is called *again*. That time you'll 
se tthe WWW-Authenticate header with the type 2 message.

4. Then the client sends the type 3 message back which you'll extract in 


More information about the Zope3-users mailing list