Closed Bug 35159 Opened 25 years ago Closed 21 years ago

Proxy: MS Proxy 2.0 and ISA auth fails (NTLM support needed)

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 23679
Milestone:
Future

People

(Reporter: floris, Assigned: darin.moz)

References

Details

(Keywords: qawanted)

Attachments

(5 files)

Outgoing Web Requests tab
8.29 KB, image/png
Details
Edit listener settings
6.16 KB, image/png
Details
Proxy settings in Mozilla
10.60 KB, image/png
Details
Proxy authentication dialog
4.83 KB, image/png
Details
Workaround of this bug
2.56 KB, text/html
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; N; Linux 2.2.14 i686; en-US) Mozilla/m14
BuildID:    any up to M14 / Netscape 6 PR1

Mozilla will not login to MS Proxy server 2.0. There is a password dialog
popping up, but filling in a correct username and password will only result in
Mozilla asking again and again. This problem is not limited only to Mozilla, but
also affects other products such as Netscape 4, Cute FTP and the distributed.net
clients. Turning on the SOCKS support in the distributed.net client doesn't
help; The only product capable of logging into this particular proxy server
product seems to be Internet Explorer, which seems to suggest that MS Proxy
server uses non-standard mechanisms for authentication. In any case, imho
Mozilla should at some point stop asking the same question over and over again
and respond with a bit more helpful information, such as why the login is failing.

Reproducible: Always
Steps to Reproduce:
1.fill in ip adress of said proxy server in the preferences
2.attempt to connect to anything on the other side of the firewall.
3.fill in a correct username and password in the popup dialog


Actual Results:  Login fails and the popup re-appears, empty.

Expected Results:  Display the correct page.

Contact me at florisk@ccs.nl if access to the proxy server, reproduction of the
problem or more information on the proxy server's configuration is needed. (I'm
not behind said proxy server here..)
This sounds like a dupe of a now fixed bug.  Can you get a current copy of 
Mozilla and test.  For right now I am marking this a a dupe of   24329 that is 
now fixed.

Reopen if not a dupe and still broken on a 4/7/00 build

*** This bug has been marked as a duplicate of 24329 ***
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
VERIFY duplicate
Status: RESOLVED → VERIFIED
I retested it again with today's (10 April) daily build. (Looks much better, btw
- good job :) Same box, same settings, same problem. Tried to authenticate a
dozen times or so, but no go. Proxy settings are identical to the IE 5's on the
same box. (128.0.0.100 - local adress). Port number 80 is the only open port on
the proxy box (verified with nmap) and sure enough trying other ports for the
proxy gives me "connection refused".
I really wouldn't know what else I could do, except try reopening this bug ;)
Which unfortunately seems to fail for some reason :( "Only the owner or
submitter of this bug may reopen" .. but I *am* the submitter, and properly
logged in .. argh.
Reopening due to comment of floris@tobefree.cistron.nl
Status: VERIFIED → UNCONFIRMED
Resolution: DUPLICATE → ---
NTLM auth cannot use through MS-Proxy 2.0.  And Mozilla don't suppoet NTLM.

This isn't Mozilla issue.  So this issue should close by INVALID or WONTFIX.


Let me get this straight:
1) NT lanman authentication isn't supported by mozilla - but why do I get a
dialogue box saying "NTLM authentication: Enter Username: Password:" or
something like that then? 
2) NTLM can't be used to authenticate with MS proxy server 2.0 - Again, same
question: Why does the dialogue box seem to indicate it _can_ be used?

Aside from these issues, there is the very real issue of this bug (which,
undoubtedly is a bug *in the proxy server*) being perceived as a bug in Mozilla.
Now, there are obviously limits to what this project should support, but this
thing is a) stopping people from using mozilla, b) reflecting badly on mozilla's
reputation and c) stopping *me* from using mozilla and at the same time getting
rid of windows entirely for my personal desktop at work.

Now, as far as I'm concerned, this is another MS attempt at trying to control
what products people use - It's bothering me in a significant way, and I want it
stopped. Preferably in a way that leaves egg smeared all over MS's face, because
frankly, it's starting to **** me off.
floris@tobefree.cistron.nl, I don't think we should mark this bug invalid till 
gagan or tever can comment on it.  

So there is still hope for you :)

Although depending on how far along this are it may not make first release.

Please look at bug 36215 - a duplicate of this one it seems. There is a useful
reference to the MS Knowledgebase there, with a known workaround.
After jumping around with this bug I think it is a dupe of bug 23679
This bug currently is marked helpwanted.

So please help!

There are URL refrernces and help in that bug also


*** This bug has been marked as a duplicate of 23679 ***
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago24 years ago
Resolution: --- → DUPLICATE
Verified duplicate.
Status: RESOLVED → VERIFIED
->http
For the record, Mozilla handled multiple auth lines incorrectly, which was fixed
in bug 44041. We still need support for the MS auth type, but at least we do not
misbehave from the confusion.
Component: Networking → Networking: HTTP
NTLM auth for Proxy is going to need to be hooked in and tested separately so I
am reopening this, and linking the NTLM proxyauth bugs to it, marking this
depends on the NTLM for http bug.
Status: VERIFIED → UNCONFIRMED
Depends on: 23679
Keywords: mostfreq
QA Contact: tever → benc
Resolution: DUPLICATE → ---
Summary: proxy authentication fails with NTLM / MS Proxy server 2.0 → Proxy: MS Proxy 2.0 and ISA auth fails (NTLM support needed)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: mozilla1.0
*** Bug 60784 has been marked as a duplicate of this bug. ***
Target Milestone: --- → mozilla1.0
*** Bug 84446 has been marked as a duplicate of this bug. ***
*** Bug 95574 has been marked as a duplicate of this bug. ***
+ qawanted - does anyone have a publicly available MS Proxy 2.0 they could
create an NTLM test account for? It doesn't need to go anywhere, just go to some
dummy page so someone knows the auth attempt worked or failed.
Keywords: qawanted
*** Bug 113164 has been marked as a duplicate of this bug. ***
I'm getting this bug (see also Bug 113164) without the request for a user/pass
and without any meaningful error message (instead it says
<html><body></body></html>).

I have an MS Proxy 2 server and am willing/able to help, but I really dont
understand what is meant by:
helpwanted: create an NTLM test account. It doesn't need to go anywhere, just go
to some dummy page so someone knows the auth attempt worked or failed.

Can someone explain the steps or point me at the right part of the manual (oh I
remember - there is no manual!)?

Hi,
Have a look to this 
http://www.geocities.com/rozmanov/ntlm/
I think that could help.


*** Bug 117497 has been marked as a duplicate of this bug. ***
I'm sorry to ask a stupid question, but why is this bug so slow to be corrected?
I'm not a dev, so I can't quantify the amont of work for this bug. 
But in some days, I'll have to install some linux box(not sure about the number)
on the school network but the proxy is ms proxy 2.0 so I have to wait till this
bug is corrected.

Is it possible to have it corrected faster please?
The only method I have found (so far) for gaining NTLM authentication is using 
microsoft "security.dll" (win95/98) or "secur32.dll" (nt/w2k).  This DLL has 
the functions:
* FreeCredentialsHandle
* AcquireCredentialsHandle
* QuerySecurityPackageInfo
* FreeContextBuffer
* InitializeSecurityContext
* CompleteAuthToken
* EnumerateSecurityPackages

I have successfully written a test program that uses this to perform NTLM proxy 
authentication with MS Proxy 2.0, however since it uses the MS DLL it will only 
work on MS Windows...

Still this is better than nothing, and (hopefully) in the next few weeks I 
will "get around" to creating a sample patch for Mozilla.

Does anyone know if Linux implements these functions ?

Well I've found a lot of articles on the web that say NTLM Authentication can 
only be done on Windows - however I have found a Perl module that supposedly 
runs on Linux that can perform NTLM Authentication.

http://search.cpan.org/search?dist=NTLM
http://search.cpan.org/doc/MARKBUSH/NTLM-1.02/README

Therefore it is at least possible that Linux can do NTLM.   This module 
requires MIME::Base64
http://search.cpan.org/search?mode=module&query=MIME%3A%3ABase64

The notes in the NTLM module indicate that it was ported from fetchmail, which 
in turn ported the code from Samba.  So if anyone can find the original code in 
Samba it would probably be easier to port directly from there into Mozilla 
rather than trying to turn Perl into C++...
Paul's comment #19 is right.

'NTLM Authorization Proxy Server' from Dmitry A. Rozmanov is a Python based
proxy that runs on anyhting.  I use it to chain to our MS Proxy 2 which is
configured for NTLM authentication from Linux, Solaris & Windows systems.

Version 017 seems to run perfectly.
(please move the NTLM-general comments to bug 23679, this bug is really only
about proxy-auth NTLM style....
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+,
topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword.  Please send any
questions or feedback about this to adt@netscape.com.  You can search for
"Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
*** Bug 140376 has been marked as a duplicate of this bug. ***
*** Bug 142760 has been marked as a duplicate of this bug. ***
*** Bug 147520 has been marked as a duplicate of this bug. ***
*** Bug 151495 has been marked as a duplicate of this bug. ***
*** Bug 151650 has been marked as a duplicate of this bug. ***
Attached image Outgoing Web Requests tab — 

    
    

    
  

      
      
      
      

        Attached image
          
        Edit listener settings
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached image
          
        Proxy settings in Mozilla
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached image
          
        Proxy authentication dialog
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        Workaround of this bug
        — 
      

    


  
Just follow this instructions and enjoy Mozilla trough MS proxies :)

    
    

    
  
Thanks manko@zhurnal.ru for the detailed instructions on how to get Mozilla 1.0 
to work with Microsoft ISA.

This solution is NOT available for MS Proxy 2.0.

I think the essence of the workaround is to disable NT Lanman authentication at 
the proxy server?

In that case the bug is not solved - Mozilla still does not support NT Lanman 
authentication - and should.

Also as is mentioned in Bug 23679 - many organisations do not want to use clear 
text...

    
    

    
  
*** Bug 153706 has been marked as a duplicate of this bug. ***

    
    

    
  
What is the current status ? I see a qawnated in the status field, does this 
mean there is a build that should work ?



    
    

    
  
Still not assigned, no progress since  Benjamin Chuang asked for QA 
back on 22 Aug 2001.  Back then I HAD an MS Proxy server that could 
have been used for testing, but after repeated posts offering help I gave 
up.

Mozilla will not be able to enter "corporate" networks until this bug is fixed 
- almost all that I know of use NTLM authentication for the proxy...

More effective work may be happening in Bug 23679.

    
    

    
  
Actually, I think I'm making progress on getting a test config, unfortunately,
only internally, but I will remove "qawanted" when I get this working.

    
    

    
  
The Workarround=removing security

    
    

    
  
If I will do the workarround, i will loose my company's security and my 
administrator will not do it. is that mean i will not be able to use Mozilla?

    
    

    
  
If you want use secure communication between your workstation and proxy, you
have 3 choices:

1. IMHO, must skilled alternative.
- Install Certificate service on your NT domain/AD controller (or, if you use
workgroup instead of domain/AD, install it directly on proxy).
- Generate and distribute user certificates for each NT login.
- Check "Enable SSL listeners" checkbox on Outgoing Web Requests tab and check
"Client certificate" checkbox on "Edit listener settings" window.
- Export user certificate in PKCS12 format and import it in Mozilla.
- Set port 8443 (or another appropriate, see field "SSL port" on Outgoing Web
Requests tab at ISA settings) in Mozilla proxy settings.
- Set "Ask Every Time" option in Mozilla Preferences/
Privacy & Security/Certificates - this is privacy issue.

2. You may use Kerberos encryption between Win 2000 proxy and workstation. I'm
not expert in Kerberos for Mac OS X or Linux, but, I hope, Kerberos realizations
on different platforms aren't incompatible.

3. You can use VPN channel between workstation and proxy.



    
    

    
  
I'm using it on Mac G4 OS 9.2.1. will it work for it?

    
    

    
  
Certificate mechanism is platform independent, you can use it anyway. Kerberos
and VPN support, AFAIK, isn't embedded in MacOS 9.x core, maybe, third-party
utilities exist for this subject.

    
    

    
  
Couldn't someone create a Win32 "daemon" that would sit in the proxy machine, 
accepting proxy requests in non-MS format and routing them to the local 
ISASERVER? A proxy's proxy?

If the authentication still goes encrypted, an admin might not object too much 
to installing such software in the proxy server. It wouldn't completely solve 
the problem but would reduce a "can't work" to an evangelism problem until the 
new protocol is implemented into Mozilla.

I have some Win32 programming experience, so maybe I could help a little. But 
my time is scarce. :(

    
    

    
  
+nsbeta: One of the NTLM bugs mentions the existence of a NTLM proxy-gateway.
Otherwise, there are no end-user solutions. That is why this needs to be fixed.
Keywords: nsbeta1

    
  
Depends on: 159015

    
    

    
  
*** Bug 165402 has been marked as a duplicate of this bug. ***

    
  
Blocks: 164421

    
    

    
  
I use Dmitry's A. Rozmanov <dima@xenon.spb.ru> NTLM authorization Proxy Server
v0.9.7.
This is a man-in-the-middle between my computer and the ISA Server, and works fine.
Since it is written in Python, and Python is very simmilar to C, maybe someone
could use that source code to fix this bug in Mozilla.
=:)
Cesar.


    
    

    
  
*** Bug 168977 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 172225 has been marked as a duplicate of this bug. ***

    
  
Blocks: 172225

    
  
No longer blocks: 172225

    
    

    
  
*** Bug 172225 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 187645 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 188158 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 193273 has been marked as a duplicate of this bug. ***

    
    

    
  
Hello everybody.

My situation is a bit different. I am not asked my login by Mozilla at all (and
since my work uses XP, I  can't logon as nobody (where I am likley to be asked
for it)). 

I have no control over network settings. My workplace is hugely M$ oriented, so
I dare not ask (the only thing I am probably going to ask is for them to stop
using Ethernet hubs and use more switches!).

Most workplaces using MS Proxy 2.0 would have a firewall that would ask for a 
NTLM login "on the way out". Mine doesn't for some odd reason.

Is there a temporary workaround? All that I could access in Mozilla is the
intranet sites behind the firewall. I wonder if I could install a local proxy
which can authenticate itself with a MS one.

I managed to rip this off <a
href="http://squid.sourceforge.net/ntlm/">squid.sourceforge.net/ntlm</a>

1a. Client sends unauthenticated request to the proxy / server.

1b. Proxy / server responds with "Authentication required" of type NTLM.

2a. The client responds with a request for NTLM negotiation

2b. The server responds with a NTLM challenge

3a. The client responds with a NTLM response

3b. if successful the connection is authenticated for this request and onwards.
No further authentication exchanges takes place on THIS TCP connection. 

From step 2 and onwards the connection MUST be persistent, or the whole thing
has to start over from the beginning. The response in step 1 does not need to
keep the connection persistent. However, as it still must eat any request body
it might just as well keep the connection persistent all the way, unless there
is a compability problem with other browsers preventing this

    
    

    
  
*** Bug 196181 has been marked as a duplicate of this bug. ***

    
    

    
  
Correction to last comment:
Work uses ISA Server

Additions:
The following bess proxy's use ISA server and I am unable to use them in Mozilla
bess-proxy.wv-cis.net:8902
bess-proxy01.davidson.k12.nc.us:80 (drops packet completely, exibited ISA error
before)
Several others drop the packet completely.
The list I used is at:
http://tools.rosinstrument.com/cgi-bin/sps.pl?pattern=bess&max=50&nskip=0&file=proxlog.csv

    
    

    
  
*** Bug 199254 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 200609 has been marked as a duplicate of this bug. ***

    
    

    
  
with bug 159015 fixed, is there a chance this might be fixed soon?

    
    

    
  
Now that NTLM is supported, perhaps we can backport to the 1.0 branch and add it
as an option to UNIX builds (probably by 'stealing' something from Samba)

    
    

    
  
The NTLM support is Windows-only, and cannot be ported b/c it uses OS function
calls.

    
    

    
  
*** Bug 203057 has been marked as a duplicate of this bug. ***

    
    

    
  
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-

    
    

    
  
"The NTLM support is Windows-only, and cannot be ported b/c it uses OS 
function calls."

Why then, does IE 5 on Mac work behind ISA and uses NTLM to access 
sites? I'm using it now, typing this out, behind ISA.

    
    

    
  
-> defaults, gagan shouldn't own this.

Mike: you are asking the wrong people.

There could be NTLM auth in MacOS, which nobody has mentioned (there is some SMB
support). Or it could be implemented in the application.
Assignee: gagan → darin
QA Contact: benc → httpqa

    
    

    
  
Definitely a duplicate of bug 23679 (we don't need two bugs about NTLM... proxy
vs. origin server is not a good reason IMO).  MacIE probably has its own code
for NTLM.  we are eventually going to either roll our own for non-windows or
possibly make use of other platform specific libs.

*** This bug has been marked as a duplicate of 23679 ***
Status: NEW → RESOLVED
Closed: 24 years ago21 years ago
Resolution: --- → DUPLICATE
Target Milestone: mozilla1.2alpha → Future

    
  
No longer blocks: 164421

    
  
Blocks: 158464

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: