Closed Bug 35159 Opened 25 years ago Closed 22 years ago

Proxy: MS Proxy 2.0 and ISA auth fails (NTLM support needed)

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 23679
Milestone:
Future

People

(Reporter: floris, Assigned: darin.moz)

References

Details

(Keywords: qawanted)

Attachments

(5 files)

Outgoing Web Requests tab
8.29 KB, image/png
Details
Edit listener settings
6.16 KB, image/png
Details
Proxy settings in Mozilla
10.60 KB, image/png
Details
Proxy authentication dialog
4.83 KB, image/png
Details
Workaround of this bug
2.56 KB, text/html
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; N; Linux 2.2.14 i686; en-US) Mozilla/m14 BuildID: any up to M14 / Netscape 6 PR1 Mozilla will not login to MS Proxy server 2.0. There is a password dialog popping up, but filling in a correct username and password will only result in Mozilla asking again and again. This problem is not limited only to Mozilla, but also affects other products such as Netscape 4, Cute FTP and the distributed.net clients. Turning on the SOCKS support in the distributed.net client doesn't help; The only product capable of logging into this particular proxy server product seems to be Internet Explorer, which seems to suggest that MS Proxy server uses non-standard mechanisms for authentication. In any case, imho Mozilla should at some point stop asking the same question over and over again and respond with a bit more helpful information, such as why the login is failing. Reproducible: Always Steps to Reproduce: 1.fill in ip adress of said proxy server in the preferences 2.attempt to connect to anything on the other side of the firewall. 3.fill in a correct username and password in the popup dialog Actual Results: Login fails and the popup re-appears, empty. Expected Results: Display the correct page. Contact me at florisk@ccs.nl if access to the proxy server, reproduction of the problem or more information on the proxy server's configuration is needed. (I'm not behind said proxy server here..)
This sounds like a dupe of a now fixed bug. Can you get a current copy of Mozilla and test. For right now I am marking this a a dupe of 24329 that is now fixed. Reopen if not a dupe and still broken on a 4/7/00 build *** This bug has been marked as a duplicate of 24329 ***
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
VERIFY duplicate
Status: RESOLVED → VERIFIED
I retested it again with today's (10 April) daily build. (Looks much better, btw - good job :) Same box, same settings, same problem. Tried to authenticate a dozen times or so, but no go. Proxy settings are identical to the IE 5's on the same box. (128.0.0.100 - local adress). Port number 80 is the only open port on the proxy box (verified with nmap) and sure enough trying other ports for the proxy gives me "connection refused". I really wouldn't know what else I could do, except try reopening this bug ;) Which unfortunately seems to fail for some reason :( "Only the owner or submitter of this bug may reopen" .. but I *am* the submitter, and properly logged in .. argh.
Reopening due to comment of floris@tobefree.cistron.nl
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
NTLM auth cannot use through MS-Proxy 2.0. And Mozilla don't suppoet NTLM. This isn't Mozilla issue. So this issue should close by INVALID or WONTFIX.
Let me get this straight: 1) NT lanman authentication isn't supported by mozilla - but why do I get a dialogue box saying "NTLM authentication: Enter Username: Password:" or something like that then? 2) NTLM can't be used to authenticate with MS proxy server 2.0 - Again, same question: Why does the dialogue box seem to indicate it _can_ be used? Aside from these issues, there is the very real issue of this bug (which, undoubtedly is a bug *in the proxy server*) being perceived as a bug in Mozilla. Now, there are obviously limits to what this project should support, but this thing is a) stopping people from using mozilla, b) reflecting badly on mozilla's reputation and c) stopping *me* from using mozilla and at the same time getting rid of windows entirely for my personal desktop at work. Now, as far as I'm concerned, this is another MS attempt at trying to control what products people use - It's bothering me in a significant way, and I want it stopped. Preferably in a way that leaves egg smeared all over MS's face, because frankly, it's starting to **** me off.
floris@tobefree.cistron.nl, I don't think we should mark this bug invalid till gagan or tever can comment on it. So there is still hope for you :) Although depending on how far along this are it may not make first release.
Please look at bug 36215 - a duplicate of this one it seems. There is a useful reference to the MS Knowledgebase there, with a known workaround.
After jumping around with this bug I think it is a dupe of bug 23679 This bug currently is marked helpwanted. So please help! There are URL refrernces and help in that bug also *** This bug has been marked as a duplicate of 23679 ***
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → DUPLICATE
Verified duplicate.
Status: RESOLVED → VERIFIED
->http For the record, Mozilla handled multiple auth lines incorrectly, which was fixed in bug 44041. We still need support for the MS auth type, but at least we do not misbehave from the confusion.
Component: Networking → Networking: HTTP
NTLM auth for Proxy is going to need to be hooked in and tested separately so I am reopening this, and linking the NTLM proxyauth bugs to it, marking this depends on the NTLM for http bug.
Status: VERIFIED → UNCONFIRMED
Depends on: 23679
Keywords: mostfreq
QA Contact: tever → benc
Resolution: DUPLICATE → ---
Summary: proxy authentication fails with NTLM / MS Proxy server 2.0 → Proxy: MS Proxy 2.0 and ISA auth fails (NTLM support needed)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: mozilla1.0
*** Bug 60784 has been marked as a duplicate of this bug. ***
Target Milestone: --- → mozilla1.0
*** Bug 84446 has been marked as a duplicate of this bug. ***
*** Bug 95574 has been marked as a duplicate of this bug. ***
+ qawanted - does anyone have a publicly available MS Proxy 2.0 they could create an NTLM test account for? It doesn't need to go anywhere, just go to some dummy page so someone knows the auth attempt worked or failed.
Keywords: qawanted
*** Bug 113164 has been marked as a duplicate of this bug. ***
I'm getting this bug (see also Bug 113164) without the request for a user/pass and without any meaningful error message (instead it says <html><body></body></html>). I have an MS Proxy 2 server and am willing/able to help, but I really dont understand what is meant by: helpwanted: create an NTLM test account. It doesn't need to go anywhere, just go to some dummy page so someone knows the auth attempt worked or failed. Can someone explain the steps or point me at the right part of the manual (oh I remember - there is no manual!)?
Hi, Have a look to this http://www.geocities.com/rozmanov/ntlm/ I think that could help.
*** Bug 117497 has been marked as a duplicate of this bug. ***
I'm sorry to ask a stupid question, but why is this bug so slow to be corrected? I'm not a dev, so I can't quantify the amont of work for this bug. But in some days, I'll have to install some linux box(not sure about the number) on the school network but the proxy is ms proxy 2.0 so I have to wait till this bug is corrected. Is it possible to have it corrected faster please?
The only method I have found (so far) for gaining NTLM authentication is using microsoft "security.dll" (win95/98) or "secur32.dll" (nt/w2k). This DLL has the functions: * FreeCredentialsHandle * AcquireCredentialsHandle * QuerySecurityPackageInfo * FreeContextBuffer * InitializeSecurityContext * CompleteAuthToken * EnumerateSecurityPackages I have successfully written a test program that uses this to perform NTLM proxy authentication with MS Proxy 2.0, however since it uses the MS DLL it will only work on MS Windows... Still this is better than nothing, and (hopefully) in the next few weeks I will "get around" to creating a sample patch for Mozilla. Does anyone know if Linux implements these functions ?
Well I've found a lot of articles on the web that say NTLM Authentication can only be done on Windows - however I have found a Perl module that supposedly runs on Linux that can perform NTLM Authentication. http://search.cpan.org/search?dist=NTLM http://search.cpan.org/doc/MARKBUSH/NTLM-1.02/README Therefore it is at least possible that Linux can do NTLM. This module requires MIME::Base64 http://search.cpan.org/search?mode=module&query=MIME%3A%3ABase64 The notes in the NTLM module indicate that it was ported from fetchmail, which in turn ported the code from Samba. So if anyone can find the original code in Samba it would probably be easier to port directly from there into Mozilla rather than trying to turn Perl into C++...
Paul's comment #19 is right. 'NTLM Authorization Proxy Server' from Dmitry A. Rozmanov is a Python based proxy that runs on anyhting. I use it to chain to our MS Proxy 2 which is configured for NTLM authentication from Linux, Solaris & Windows systems. Version 017 seems to run perfectly.
(please move the NTLM-general comments to bug 23679, this bug is really only about proxy-auth NTLM style....
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+, topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword. Please send any questions or feedback about this to adt@netscape.com. You can search for "Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
*** Bug 140376 has been marked as a duplicate of this bug. ***
*** Bug 142760 has been marked as a duplicate of this bug. ***
*** Bug 147520 has been marked as a duplicate of this bug. ***
*** Bug 151495 has been marked as a duplicate of this bug. ***
*** Bug 151650 has been marked as a duplicate of this bug. ***
Attached image Outgoing Web Requests tab —
Attached image Edit listener settings —
Attached image Proxy settings in Mozilla —
Attached image Proxy authentication dialog —
Attached file Workaround of this bug —
Just follow this instructions and enjoy Mozilla trough MS proxies :)
Thanks manko@zhurnal.ru for the detailed instructions on how to get Mozilla 1.0 to work with Microsoft ISA. This solution is NOT available for MS Proxy 2.0. I think the essence of the workaround is to disable NT Lanman authentication at the proxy server? In that case the bug is not solved - Mozilla still does not support NT Lanman authentication - and should. Also as is mentioned in Bug 23679 - many organisations do not want to use clear text...
*** Bug 153706 has been marked as a duplicate of this bug. ***
What is the current status ? I see a qawnated in the status field, does this mean there is a build that should work ?
Still not assigned, no progress since Benjamin Chuang asked for QA back on 22 Aug 2001. Back then I HAD an MS Proxy server that could have been used for testing, but after repeated posts offering help I gave up. Mozilla will not be able to enter "corporate" networks until this bug is fixed - almost all that I know of use NTLM authentication for the proxy... More effective work may be happening in Bug 23679.
Actually, I think I'm making progress on getting a test config, unfortunately, only internally, but I will remove "qawanted" when I get this working.
The Workarround=removing security
If I will do the workarround, i will loose my company's security and my administrator will not do it. is that mean i will not be able to use Mozilla?
If you want use secure communication between your workstation and proxy, you have 3 choices: 1. IMHO, must skilled alternative. - Install Certificate service on your NT domain/AD controller (or, if you use workgroup instead of domain/AD, install it directly on proxy). - Generate and distribute user certificates for each NT login. - Check "Enable SSL listeners" checkbox on Outgoing Web Requests tab and check "Client certificate" checkbox on "Edit listener settings" window. - Export user certificate in PKCS12 format and import it in Mozilla. - Set port 8443 (or another appropriate, see field "SSL port" on Outgoing Web Requests tab at ISA settings) in Mozilla proxy settings. - Set "Ask Every Time" option in Mozilla Preferences/ Privacy & Security/Certificates - this is privacy issue. 2. You may use Kerberos encryption between Win 2000 proxy and workstation. I'm not expert in Kerberos for Mac OS X or Linux, but, I hope, Kerberos realizations on different platforms aren't incompatible. 3. You can use VPN channel between workstation and proxy.
I'm using it on Mac G4 OS 9.2.1. will it work for it?
Certificate mechanism is platform independent, you can use it anyway. Kerberos and VPN support, AFAIK, isn't embedded in MacOS 9.x core, maybe, third-party utilities exist for this subject.
Couldn't someone create a Win32 "daemon" that would sit in the proxy machine, accepting proxy requests in non-MS format and routing them to the local ISASERVER? A proxy's proxy? If the authentication still goes encrypted, an admin might not object too much to installing such software in the proxy server. It wouldn't completely solve the problem but would reduce a "can't work" to an evangelism problem until the new protocol is implemented into Mozilla. I have some Win32 programming experience, so maybe I could help a little. But my time is scarce. :(
+nsbeta: One of the NTLM bugs mentions the existence of a NTLM proxy-gateway. Otherwise, there are no end-user solutions. That is why this needs to be fixed.
Keywords: nsbeta1
Depends on: 159015
*** Bug 165402 has been marked as a duplicate of this bug. ***
Blocks: 164421
I use Dmitry's A. Rozmanov <dima@xenon.spb.ru> NTLM authorization Proxy Server v0.9.7. This is a man-in-the-middle between my computer and the ISA Server, and works fine. Since it is written in Python, and Python is very simmilar to C, maybe someone could use that source code to fix this bug in Mozilla. =:) Cesar.
*** Bug 168977 has been marked as a duplicate of this bug. ***
*** Bug 172225 has been marked as a duplicate of this bug. ***
Blocks: 172225
No longer blocks: 172225
*** Bug 172225 has been marked as a duplicate of this bug. ***
*** Bug 187645 has been marked as a duplicate of this bug. ***
*** Bug 188158 has been marked as a duplicate of this bug. ***
*** Bug 193273 has been marked as a duplicate of this bug. ***
Hello everybody. My situation is a bit different. I am not asked my login by Mozilla at all (and since my work uses XP, I can't logon as nobody (where I am likley to be asked for it)). I have no control over network settings. My workplace is hugely M$ oriented, so I dare not ask (the only thing I am probably going to ask is for them to stop using Ethernet hubs and use more switches!). Most workplaces using MS Proxy 2.0 would have a firewall that would ask for a NTLM login "on the way out". Mine doesn't for some odd reason. Is there a temporary workaround? All that I could access in Mozilla is the intranet sites behind the firewall. I wonder if I could install a local proxy which can authenticate itself with a MS one. I managed to rip this off <a href="http://squid.sourceforge.net/ntlm/">squid.sourceforge.net/ntlm</a> 1a. Client sends unauthenticated request to the proxy / server. 1b. Proxy / server responds with "Authentication required" of type NTLM. 2a. The client responds with a request for NTLM negotiation 2b. The server responds with a NTLM challenge 3a. The client responds with a NTLM response 3b. if successful the connection is authenticated for this request and onwards. No further authentication exchanges takes place on THIS TCP connection. From step 2 and onwards the connection MUST be persistent, or the whole thing has to start over from the beginning. The response in step 1 does not need to keep the connection persistent. However, as it still must eat any request body it might just as well keep the connection persistent all the way, unless there is a compability problem with other browsers preventing this
*** Bug 196181 has been marked as a duplicate of this bug. ***
Correction to last comment: Work uses ISA Server Additions: The following bess proxy's use ISA server and I am unable to use them in Mozilla bess-proxy.wv-cis.net:8902 bess-proxy01.davidson.k12.nc.us:80 (drops packet completely, exibited ISA error before) Several others drop the packet completely. The list I used is at: http://tools.rosinstrument.com/cgi-bin/sps.pl?pattern=bess&max=50&nskip=0&file=proxlog.csv
*** Bug 199254 has been marked as a duplicate of this bug. ***
*** Bug 200609 has been marked as a duplicate of this bug. ***
with bug 159015 fixed, is there a chance this might be fixed soon?
Now that NTLM is supported, perhaps we can backport to the 1.0 branch and add it as an option to UNIX builds (probably by 'stealing' something from Samba)
The NTLM support is Windows-only, and cannot be ported b/c it uses OS function calls.
*** Bug 203057 has been marked as a duplicate of this bug. ***
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-
"The NTLM support is Windows-only, and cannot be ported b/c it uses OS function calls." Why then, does IE 5 on Mac work behind ISA and uses NTLM to access sites? I'm using it now, typing this out, behind ISA.
-> defaults, gagan shouldn't own this. Mike: you are asking the wrong people. There could be NTLM auth in MacOS, which nobody has mentioned (there is some SMB support). Or it could be implemented in the application.
Assignee: gagan → darin
QA Contact: benc → httpqa
Definitely a duplicate of bug 23679 (we don't need two bugs about NTLM... proxy vs. origin server is not a good reason IMO). MacIE probably has its own code for NTLM. we are eventually going to either roll our own for non-windows or possibly make use of other platform specific libs. *** This bug has been marked as a duplicate of 23679 ***
Status: NEW → RESOLVED
Closed: 25 years ago22 years ago
Resolution: --- → DUPLICATE
Target Milestone: mozilla1.2alpha → Future
No longer blocks: 164421
Blocks: 158464
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: