The problem I had to solve was to access an intranet webserver (with my own contents, a database, inside) without asking the user for an extra password.
So, this server (apache) was integrated into our normal windows authentication system, that is the microsoft kerberos authentication [
1], and I had to make use of that.
As it turned out, I could use Tcl in its finest tradition as a glue language and utilize windows as it is for all the authentication stuff. Enter WinHTTP [
2].
WinHttp is a microsoft provided API for use with non-.NET applications and scripts. The script interface is a COM component called WinHttpRequest and can be accessed using tcom, which is contained in the ActiveTcl distribution. A small tcl script that accesses an authenticated website thus looks like this:
#We need tcom
package require tcom
#set the test URL
set MyUrl "http://myintranetwbsite"
#Start up the component
set WinHttpComp [::tcom::ref createobject "WinHttp.WinHttpRequest.5.1"]
#Create the request
$WinHttpComp Open "GET" $MyUrl 0
#If WinHttp thinks this is not an intranet website, set security to low.
$WinHttpComp SetAutoLogonPolicy 0
#Send the Request, doing all the authentication under the hood
$WinHttpComp Send
tk_messageBox -type ok -title "Status" -message "[$WinHttpComp Status]\n[$WinHttpComp StatusText]"
tk_messageBox -type ok -title "Result" -message "[$WinHttpComp ResponseText]"
Assuming your company uses kerberos (which they ought to) then security "low" does not mean that
- you can access protected sites with the wrong credentials or
- your password will be sent in the clear.
What happens is that your encrypted ticket is sent to the server. However, if the server isn't authenticated to your KDC (something your IT department is supposed to guarantee) it can't do anything with it, so it's a bit of a paranoidal precaution that microsoft recommends.
The kerberos website is at
http://web.mit.edu/kerberos/ .