NTLM Library
Download Now!
Size :  9Kb
Level :  stable
Version :  1.0.3
Date :  31-Mar-2008


This REBOL library offers the support for the Microsoft NTLM (NT Lan Manager) authentication scheme over a Windows LAN. It requires an active REBOL /Library component to access the Windows security API, so it only works on Windows platforms. The NTLM scheme is often used as authentication scheme in enterprise networks with HTTP proxies (MS Proxy or ISA Server). The first goal of this library is to allow any REBOL application (including REBOL/Link clients) to pass through NTLM proxy server (providing a valid login/pass !)

For easier use, the NTLM library is wrapped into a standard REBOL scheme : ntlm://. This allows you to use it in other contexts than HTTP authentication, where NTLM is required.

A patch for the REBOL HTTP protocol is provided in the archive to transparently authenticate with a NTLM proxy server.

Server-side challenging is not supported in this version, but it will be included in a future release.


Here's a simple NTLM library usage example :

Download the NTLM library and unpack it (ZIP archive). Open a REBOL console and change-dir to the installation folder, then type the following code (providing the address and port number for your NTLM proxy server) :
>> do %http-patch.r
>> set-ntlm-proxy <proxy host> <proxy port>
If you need to specify the Windows network domain name, just use the /domain refinement with a string! value :
>> set-ntlm-proxy/domain <proxy host> <proxy port> "<domain name>"
Then try to read an HTTP url :
>> read
Enter proxy authentication username: <login>
Enter proxy authentication password: <password>
connecting to:
== {<HTML>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html;CHARSET=iso-8859-1">

<META NAME="keywords" CONTENT="REBOL, X ...
You'll be asked for a valid login and password only once per REBOL session. Usually, your Windows login account information would be enough for the proxy server.

If you're running REBOL/View, you can also try with the desktop command !

If web page reading test fails, you can ask for some debugging informations using REBOL's standard trace function :
>> trace/net on
>> read

How to quickly discover if your HTTP proxy server requires NTLM authentication ?

Do the following test in a REBOL console :
>> p: open/no-wait tcp://<proxy host>:<proxy port>
>> insert p "GET HTTP/1.0^/Host:^/^/"
>> probe copy p
Then you should get something like this if your proxy requires authentication :
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request.
 Access to the Web Proxy service is denied.  )
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4096
The Proxy-Authenticate header shows what authentication method is accepted. In this example, both 'Kerberos and 'NTLM are valid methods. Other main authentication methods are : 'Basic (built in REBOL) and 'Digest (not supported by REBOL).

Developer's Documentation

To be done...


  • v.1.0.3 - 31-Mar-2008
    - HTTP patch updated to match REBOL v2.7.6
    - Major bug fixed in HTTP authentication request when in proxy mode (Thanks to Thorsten Moeller for his kind help).
    - Fixed HTTP request line endings to conform with the RFC
    - HTTP receive buffer size increased to 64Kb
    - Minor source code cleanup

  • v.1.0.2 - 06-Jan-2005
    - Fixed an issue with Domain encoding. (Thanks to Paul Tretter for his useful feedback)

  • v.1.0.1 - 04-Jan-2005
    - Added Domain (WorkGroup) support to the 'set-ntlm-proxy function.
    - Now supports trace/net logging.

  • v.1.0.0 - 03-Jan-2005
    - First public release.