Closed Bug 256949 Opened 20 years ago Closed 20 years ago

browser not using the right credentials for proxy authentication (NTLM)

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: yavorvm, Assigned: darin.moz)

References

Details

(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: [eta 10/15] [have patch]need review bz cneberg)

Attachments

(4 files, 1 obsolete file)

firefox 1.0PR log
41.42 KB, text/zip
Details
patch to disable pref by default
1.78 KB, patch
Details | Diff | Splinter Review
v1 patch
15.79 KB, patch
cneberg
: review+
bzbarsky
: superreview+
asa
: approval-aviary+
asa
: approval1.7.5+
Details | Diff | Splinter Review
v1.1 patch
16.25 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040825
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a3) Gecko/20040825

i am using an HTTP proxy, and i have saved my password for it.
After i installed the lates build from 25th Aug browser asks me not only on the
startup page but on every link followed and sometimes several times per page.
I don't enter anything just press enter and page continues to load or the link
is followed. But it is annoying

Reproducible: Always
Steps to Reproduce:
1.Set an HTTP proxy with no anonymous access
2. try to load a page
3. password manager window appear several times



Expected Results:  
once the password is provided there shouldn't be any more prompts
i see where the problem is
i am using proxy that i have different username  for, not the login name i use
in windows. However when i view the proxylog it has registered connection
attepmts with my windows logon name. Meaning the browser is not forwarding the
credentials right and proxy asks for authentication. That's why the prompt
occurs every time.

here is it as an example
windows login username: wintest
proxy login name proxytest (stored in password manager)
log says attempt from wintest 
connection shoudl be all made from proxytest user

it still exists in 26 build
i can not surf at all
request to the proxy are being made with my win logon name, not the one saved in
password manager for the proxy


earlier versions don't have this one
Severity: major → critical
Summary: multiple proxy promts for authentication on every link followed → browser not using the right credentials for proxy authentication
Perhaps this was caused by the patch for bug 231529.  Can you please try setting
the preference network.automatic-ntlm-auth.allow-proxies to false?  You can use
about:config to change the value of this preference.

I would also greatly appreciate it if you could attach a Mozilla HTTP log file
generated using the steps given here:

  http://www.mozilla.org/projects/netlib/http/http-debugging.html

Thanks!
thanks mister fisher

now it works fine. The proxy we are using is MS ISA array
now it won't ask.Just when the first window is started

So the automatic proxy authentication option is the one that makes my browser
authenticate with my windows logon name, not the one for my ISA server
Is this correct?

Do you still need the log file?
and do i have to do this on every new build?Is there going to be any fix for this? 



(In reply to comment #3)
> Perhaps this was caused by the patch for bug 231529.  Can you please try setting
> the preference network.automatic-ntlm-auth.allow-proxies to false?  You can use
> about:config to change the value of this preference.
> 
> I would also greatly appreciate it if you could attach a Mozilla HTTP log file
> generated using the steps given here:
> 
>   http://www.mozilla.org/projects/netlib/http/http-debugging.html
> 
> Thanks!
Attached file firefox 1.0PR log 
Here I attach the log file generated by firefox 1.0PR.I was requested for the
username and the password once while contacting http://www.google.it, once
while contacting http://forums.mozillazine.org, and a theird time with
http://texturizer.net/firefox/index.html.

Thanks for your help :)
yavorvm: no further information is needed.  i think i understand the full
problem now.

we need to fix this for firefox 1.0
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: blocking-aviary1.0?
Target Milestone: --- → mozilla1.8beta
*** Bug 259274 has been marked as a duplicate of this bug. ***
*** Bug 259826 has been marked as a duplicate of this bug. ***
Allen,

In bug 231529, you said:

> [snip]
> I can just turn the allow proxy setting off. But in this case it is not 
> possible to have completely silent NLTM. 
>
> IE doesn't have that problem though. I wonder how it does it.

I too am very interested in finding out how IE avoids asking you for your login
credentials in this case.  Would it be possible for you to capture a TCP packet
trace for me?  There's an excellent tool available for free from
www.ethereal.com that runs on windows.  If you do not wish to share the TCP
packet trace with everyone, then you can just send it directly to me and I will
keep its contents confidential.  I will only share what I find from reading the
log file.  If you can do this for me, then what would be very helpful is a TCP
packet trace of the login session with IE and two separate TCP packet traces of
the login session with Mozilla (once with the default preferences, and once with
network.automatic-ntlm-auth.allow-proxies set to false).  THANKS IN ADVANCE !!
I'll do my best. Do you know of any other free apps other than ethereal? I've
had some problems with win32 ethereal crashing the whole machine and I'm not
excited about installing it on my laptop. 
(In reply to comment #10)
> I'll do my best. Do you know of any other free apps other than ethereal? I've
> had some problems with win32 ethereal crashing the whole machine and I'm not
> excited about installing it on my laptop. 

Actually forget that. I think I was thinking of nmap for windows. In any case
I've sent you the logs. 

> I've sent you the logs. 

I analyzed the log files, and low-and-behold it is true.  IE is magically
selecting the correct domain instead of using the local machine's name as the
domain.  Mozilla is using Microsoft's SSPI API here, and we don't have any
control over the domain it selects to use.  I guess this means that IE is using
some private Win32 API or something like that :-(

The one thing we can do is fix the prompting issue.  Investigating...
Attached patch v0 experimental patch (obsolete) — Splinter Review 
This is an experimental patch that should solve the problem.  What I found was
that we were always trying SSPI and then failing over to our built-in NTLM
mech.  As a result, we were invalidating any stored login credentials each time
the SSPI mech failed.  This patch makes us remember the fact that the SSPI mech
failed (on a per auth domain basis) so that we don't needlessly retry it.  This
should fix the bug, but I've not had a chance to test it yet.  If anyone is
able to build Mozilla (or Firefox) and test out this patch, that would be most
appreciated.  Meanwhile, I'll try to find a testcase for this.
(In reply to comment #12)
> > I've sent you the logs. 
> 
> I analyzed the log files, and low-and-behold it is true.  IE is magically
> selecting the correct domain instead of using the local machine's name as the
> domain.

Does a user's password for the domain have to be the same as the users password
for the local machine for the login to be transparent?
> Does a user's password for the domain have to be the same as the users password
> for the local machine for the login to be transparent?

That's a good question, but in this case the fact that the domains are different
is enough to indicate that SSPI is not using the same logon credentials as IE. 
If the domains were the same, then I'd be suspicious of the password.

we should either disable the feature or fix the bug ... but we shouldn't ship
1.0 as is  blocking avaiary +

sounds like the patch is close.
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Blocks: 212015
in case we don't get a chance to complete a fix for this feature, we should
disable the pref by default.  this patch can be used to do that.
*** Bug 263033 has been marked as a duplicate of this bug. ***
Whiteboard: [have patch] for backout if needed
Whiteboard: [have patch] for backout if needed → [eta 10/15] [have patch] for backout if needed
*** Bug 263517 has been marked as a duplicate of this bug. ***
Is the "v0 experimental patch" that is attached above in a build anywhere?  I'm 
guessing that this problem is the same as that in bug 259854 and would like to 
test if it resolves the problem there, but don't have a chance to do a Windows 
build of either Firefox or Mozilla currently, so I'm not able to test the patch 
as it stands, unfortunately.
Attached patch v1 patchSplinter Review 
Ok, the v0 patch was not quite sufficient.  This patch solves the problem
according to my testing.

The main problem occurs when a server responds with 'WWW-Authenticate:
Negotiate NTLM'.  We'll try Negotiate, find that the server (or proxy) is not
on our whitelist (or not supported in the case of a proxy), and then we'll try
NTLM.  We'll try the system NTLM authenticator, and that will fail.  After that
we will repeat from the top, trying Negotiate first and then failing over to
NTLM.  However, in the process of doing so we do not clear
nsHttpChannel::mAuthContinuationState.	As a result,
nsHttpNegotiateAuth::ChallengeReceived is passed the 'continuationState' param
that was generated by the NTLM authenticator!  The Negotiate auth code doesn't
know any better, and thinks that the continuationState is its own.  It happily
uses the continuationState, bypassing its whitelist!  Since the
continuationState supports nsIAuthModule, the Negotiate auth code happily
invokes the NTLM nsIAuthModule for NTLM credentials, which in the case of the
system NTLM auth module does not require user input to return a non-empty
result.  So, we end up in a loop, calling upon the system NTLM authenticator
repeatedly.  Each subsequent network request contains a malformed
'Authorization: Negotiate XXX' where XXX is a NTLMSSP message :-( 

The solution is to make sure that we clear mAuthContinuationState when
switching to a different auth type.  We also need to make sure that we stick
with the same auth type once we start using one on a given channel.  Otherwise,
the logic to failover from system NTLM to mozilla NTLM won't be triggered,
since it depends on the value of mAuthContinuationState.

Given all that, this patch is fairly straightforward.
Attachment #159280 - Attachment is obsolete: true
NOTE: this bug can cause the browser to inadvertantly send the user's system
logon to servers, and that would be a privacy concern except for the fact that
it can only happen after the user incorrectly enters their domain logon into an
auth prompt.  so, i think that the potential threat to users is very low. 
nonetheless this is a serious bug that needs to be fixed for firefox 1.0 and the
next release off the 1.7 branch.
Attachment #161793 - Flags: review?(cneberg)
Flags: blocking1.7.x?
I guess I'm missing one thing. If I've already put the correct credentials into
password manager, why does it bother figuring out the credentials on its own?
Blocks: 261044
> I guess I'm missing one thing. If I've already put the correct credentials into
> password manager, why does it bother figuring out the credentials on its own?

Yeah, you'd think it would be that simple.  However, we don't currently check
password manager from the HTTP code.  Instead, the password manager is actually
implementing the prompt interface, and it magically inserts whatever saved
password you may have into that prompt.  At the networking level we do not
really know about password manager.  That said, we probably should teach the
HTTP code to check password manager as you suggest.
Attachment #161793 - Flags: superreview?(bzbarsky)
Whiteboard: [eta 10/15] [have patch] for backout if needed → [eta 10/15] [have patch]need review bz cneberg
could use some quick review help on this one so we can figure out what to do
soon.  thx

Review comming up.
Unfortunately, I've been out of the office for a few days and won’t be back in 
till Monday, so I don't currently have access to a build environment or I'd do 
some testing on my own. (Once I can get a nightly build of this I could perform 
some of the tests remotely.)

Wouldn't the same users who have problems with auto sending NTLM because they 
use a different system login than domain credentials have the same problem with 
auto-sending Negotiate? I don't believe Negotiate can currently fail over to 
another authentication type when a server side failure occurs. We should try 
the same trick there as this patch by using a session state variable to mark 
that we have tried Negotiate before and failed.   This fix would also be 
required if the client and server don’t support a common list of authentication 
types for Negotiate (SPNEGO).   I currently have this problem because I can’t 
support NTLM at the server so if Mozilla in Windows tries Negotiate-NTLM rather 
than Negotiate-Kerberos there is no smooth way for the server to force the 
browser to fail over to another authentication type (in my case basic 
authentication.)    My current work around for this bug is that I remove www-
authenticate: Negotiate from the headers and re-send the prompt to the user 
only containing www-authenticate:  basic.  (This works against IE also), this 
workaround will be broken by this patch which can not handle the current 
authentication type from being dropped from the www-authenticate list from the 
server.    One way to change the code below to handle the auth type missing is 
to make it more flexible by not handling the auth type checking in the loop but 
instead do a sanity check in each httpAuthenticator class individually by 
having the first line of the ChallengeReceived function do a sanity check to 
see if the current channel mAuthType is suitable, if not error out.   Then make 
basic not do the sanity check.   I hope one the solutions will be possible for 
Firefox 1.0 but I know time is short.

        if (NS_SUCCEEDED(rv)) {
             //
+            // if we've already selected an auth type from a previous challenge
+            // received while processing this channel, then skip others until
+            // we find a challenge corresponding to the previously tried auth
+            // type.
+            //
+            if (!mAuthType.IsEmpty() && authType != mAuthType)
+                continue;

#ifdef XP_WIN
         //
+        // our session state is non-null to indicate that we've flagged
+        // this auth domain as not accepting the system's default login.
+        //

You should clarify your comment to specify what exactly the auth domain is. It 
would be the channel (connection?), correct?   Also, wouldn't the system's 
default credentials be retried with every new channel? Maybe in the future we 
could add a method of using the auth cache so we don't retry the same 
authentication types over and over with every new connection (another new bug).
 
More to come…

> Wouldn't the same users who have problems with auto sending NTLM because they 
> use a different system login than domain credentials have the same problem 
with 
> auto-sending Negotiate? 

Sorry to respond to my own question but according to the following comment, my 
problem may have already been fixed.  I have no way to verify the fix currently.

http://lxr.mozilla.org/mozilla/source/extensions/negotiateauth/nsNegotiateAuthSS
PI.cpp#283


else {
284         // If there is no input token, then we are starting a new
285         // authentication sequence.  If we have already initialized our
286         // security context, then we're in trouble because it means that the
287         // first sequence failed.  We need to bail or else we might end up 
in
288         // an infinite loop.
289         if (mCtxt.dwLower || mCtxt.dwUpper) {
290             LOG(("Cannot restart authentication sequence!"));
291             return NS_ERROR_UNEXPECTED;
292         }
293 
294         ctxIn = NULL;
295     }
Attachment #161793 - Flags: review?(cneberg) → review+
        if (NS_SUCCEEDED(rv)) {
             //
+            // if we've already selected an auth type from a previous challenge
+            // received while processing this channel, then skip others until
+            // we find a challenge corresponding to the previously tried auth
+            // type.
+            //
+            if (!mAuthType.IsEmpty() && authType != mAuthType)
+                continue;

Wouldn't this code break support using support for 2 different authentication
types during the same connection for request based auth types?

For example in IIS or Apache I could set support for Digest authentication for
one directory and Http basic authentication on another.  With this patch I don't
think I could hit both of those directories in the same connection because when
I hit the second directory it would look for the authentication type of the
first then fail because it couldn't find it. 

A fix for this would be to check to make sure that the auth type you used last
on the connection is actually present before enforcing that it is used.  Do that
and r=cneberg

I still would also like to see the checking of whether mAuthType is valid be
done in the nsIHttpAuthenticator class before or only when mContinuation state
is used.  That way the use of request based authentication types are not forced
to be dependendent on the use of a connection based state variable, but that can
probably wait for another bug.
> Wouldn't this code break support using support for 2 different authentication
> types during the same connection for request based auth types?

no, the channel object corresponds to an individual URI.  it does not correspond
to the connection.  if fetching a URI involves multiple HTTP transactions, then
the state of that sequence of transactions can be stored on the channel.  here,
mAuthType is stored on the channel, so it only applies to a particular URI being
fetched.

in other words, if the user reloads the page, mAuthType is reset to empty, and
the whole process starts over.  no history is kept between channels other than
what is stored in the auth cache in the form of session state.

moreover, i designed the mAuthType checking so that it would reset mAuthType to
empty whenever ChallengeReceived or GenerateCredentials returns an error.  the
one thing i did not do is recycle over the list of challenges, when the auth
type i'm looking for isn't present.  perhaps that would make the patch more
robust and better address the failover to basic auth requirement.
Blocks: 259344
Blocks: 259854
Comment on attachment 161793 [details] [diff] [review]
v1 patch

sr=bzbarsky if Christopher is OK with this.
Attachment #161793 - Flags: superreview?(bzbarsky) → superreview+
>no, the channel object corresponds to an individual URI.  it does not
>correspond to the connection. 

Thanks for the clarifications. 

> one thing i did not do is recycle over the list of challenges, when the auth
> type i'm looking for isn't present.  perhaps that would make the patch more
> robust and better address the failover to basic auth requirement.

Sounds good.  r=cneberg
Comment on attachment 161793 [details] [diff] [review]
v1 patch

a=asa for aviary and 1.7 branch checkin.
Attachment #161793 - Flags: approval1.7.x+
Attachment #161793 - Flags: approval-aviary+
Attached patch v1.1 patchSplinter Review 
revised patch w/ proper failover when expected auth type not found in list of
challenges.  i modified the GetCredentials function to call itself again if it
didn't get any credentials and if mAuthType is non-empty.  i clear mAuthType
before calling GetCredentials again so as to avoid infinite recursion.	

unfortunately, my test server is down right now, so i cannot directly confirm
this revision to the patch :(
ok, my tests show that the v1.1 patch does the right thing.  i'll go ahead and
land that one.
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
fixed-aviary1.0, fixed1.7.x
Keywords: fixed-aviary1.0, fixed1.7.x
It seems to me that this patch has caused the following :-

nsHttpNTLMAuth.cpp
Building deps for nsHttpNTLMAuth.cpp
/cygdrive/e/mozilla/source/mozilla/build/cygwin-wrapper g++ -march=athlon-xp -mm
mx -msse -mno-cygwin -o nsHttpNTLMAuth.o -c -DOSTYPE=\"WINNT5.1\" -DOSARCH=\"WIN
NT\" -I/cygdrive/e/mozilla/source/mozilla/netwerk/protocol/http/src/../../../bas
e/src -I../../../../dist/include/xpcom -I../../../../dist/include/string -I../..
/../../dist/include/pref -I../../../../dist/include/nkcache -I../../../../dist/i
nclude/mimetype -I../../../../dist/include/intl -I../../../../dist/include/unich
arutil -I../../../../dist/include/caps -I../../../../dist/include/xpconnect -I..
/../../../dist/include/js -I../../../../dist/include/uconv -I../../../../dist/in
clude/necko -I../../../../dist/include -I../../../../dist/include/nspr
-fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Wover
loaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wno-long-lo
ng -pedantic -mms-bitfields -pipe  -DDEBUG -D_DEBUG -DDEBUG_David -DTRACING -g
 -DX_DISPLAY_MISSING=1 -DMOZILLA_VERSION=\"1.8a5\" -DHAVE_SNPRINTF=1 -D_WINDOWS=
1 -D_WIN32=1 -DWIN32=1 -DXP_WIN=1 -DXP_WIN32=1 -DHW_THREADS=1 -DWINVER=0x400 -DS
TDC_HEADERS=1 -DWIN32_LEAN_AND_MEAN=1 -DNO_X11=1 -D_X86_=1 -DD_INO=d_ino -DSTDC_
HEADERS=1 -Duid_t=int -Dgid_t=int -DHAVE_DIRENT_H=1 -DHAVE_GETOPT_H=1 -DHAVE_MEM
ORY_H=1 -DHAVE_UNISTD_H=1 -DHAVE_MALLOC_H=1 -DHAVE_LIBM=1 -DNO_X11=1 -DMMAP_MISS
ES_WRITES=1 -DHAVE_STRERROR=1 -DHAVE_SNPRINTF=1 -DHAVE_MEMMOVE=1 -DHAVE_RINT=1 -
DVA_COPY=va_copy -DHAVE_VA_COPY=1 -DMOZ_DEFAULT_TOOLKIT=\"windows\" -DMOZ_DISTRI
BUTION_ID=\"org.mozilla\" -DMOZ_APP_NAME=\"mozilla\" -DOJI=1 -DIBMBIDI=1 -DMOZ_V
IEW_SOURCE=1 -DMOZ_XPINSTALL=1 -DMOZ_JSLOADER=1 -DMOZ_MATHML=1 -DMOZ_LOGGING=1 -
DDETECT_WEBSHELL_LEAKS=1 -DHAVE___CXA_DEMANGLE=1 -DMOZ_DEMANGLE_SYMBOLS=1 -DMOZ_
USER_DIR=\"Mozilla\" -DMOZ_XUL=1 -DMOZ_PROFILESHARING=1 -DMOZ_PROFILELOCKING=1 -
DMOZ_DLL_SUFFIX=\".dll\" -DJS_THREADSAFE=1 -DNS_PRINT_PREVIEW=1 -DNS_PRINTING=1
-DMOZ_REFLOW_PERF=1 -DMOZ_REFLOW_PERF_DSP=1 -DMOZILLA_LOCALE_VERSION=\"1.8a\" -D
MOZILLA_REGION_VERSION=\"1.8a\" -DMOZILLA_SKIN_VERSION=\"1.5\"  -D_MOZILLA_CONFI
G_H_ -DMOZILLA_CLIENT /cygdrive/e/mozilla/source/mozilla/netwerk/protocol/http/s
rc/nsHttpNTLMAuth.cpp
e:/mozilla/source/mozilla/netwerk/protocol/http/src/nsHttpNTLMAuth.cpp:210: erro
r: extra `;'
make[6]: *** [nsHttpNTLMAuth.o] Error 1
make[6]: Leaving directory `/cygdrive/e/mozilla/source/mozilla/netwerk/protocol/
http/src'
make[5]: *** [libs] Error 2
make[5]: Leaving directory `/cygdrive/e/mozilla/source/mozilla/netwerk/protocol/
http'
make[4]: *** [libs] Error 2
make[4]: Leaving directory `/cygdrive/e/mozilla/source/mozilla/netwerk/protocol'

make[3]: *** [libs] Error 2
make[3]: Leaving directory `/cygdrive/e/mozilla/source/mozilla/netwerk'
make[2]: *** [libs] Error 2
make[2]: Leaving directory `/cygdrive/e/mozilla/source/mozilla'
make[1]: *** [alldep] Error 2
make[1]: Leaving directory `/cygdrive/e/mozilla/source/mozilla'
make: *** [alldep] Error 2
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
MingW bustage fixed on trunk, 1.7 branch, and aviary 1.0 branch

marking FIXED
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Yup, that fixed the MinGW bustage. Thanks.
Flags: blocking1.7.x?
Summary: browser not using the right credentials for proxy authentication → browser not using the right credentials for proxy authentication (NTLM)
*** Bug 262276 has been marked as a duplicate of this bug. ***
*** Bug 266303 has been marked as a duplicate of this bug. ***
*** Bug 259309 has been marked as a duplicate of this bug. ***
*** Bug 260015 has been marked as a duplicate of this bug. ***
*** Bug 260479 has been marked as a duplicate of this bug. ***
*** Bug 250535 has been marked as a duplicate of this bug. ***
*** Bug 248887 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: