Closed Bug 275679 Opened 20 years ago Closed 3 years ago

Failover from automatic to built-in NTLM auth with MS-Proxy sometimes fails with Mozilla 1.7.5 / Firefox 1.0

Categories

(Core :: Networking, defect, P5)

x86
Windows NT
defect

Tracking

()

RESOLVED INCOMPLETE
mozilla1.9alpha1

People

(Reporter: Sianka, Unassigned)

References

Details

(Keywords: helpwanted, regression, Whiteboard: [no l10n impact][ntlm] [necko-would-take])

Since Mozilla 1.7.5, I get the same old error than before with NTLM auth. See:
http://bugzilla.mozilla.org/show_bug.cgi?id=35159
There is no password prompt any more and I get an auth error 407.

It was working fine before.

A downgrade from Mozilla 1.7.5 to 1.7.3 fix the problem.
Component: General → Networking
Keywords: regression
Product: Mozilla Application Suite → Core
Assignee: general → darin
QA Contact: general → benc
Severity: blocker → major
By the way, I have the same problem with Firefox 1.0
I am seeing different results with Firefox. The Mozilla Suite nightly fails but
the Firefox nightly works. Both are installed on the same system.

Mozilla Suite
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a6) Gecko/20050112
Build ID: 2005011204
and
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050116
Build ID: 2005011605

Firefox
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050113 Firefox/1.0+
Confirming to make sure this gets some attention.... What landed on branch
between 1.7 and 1.7.5 that could have broken this?

Also, since this is broken on trunk, changing version field.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b?
Version: 1.7 Branch → Trunk
There was some sort of auth change made - darin?
should this block a 1.7.6? (sounds like...)
Flags: blocking1.7.6?
Flags: blocking1.7.6? → blocking1.7.6+
To anyone who can reproduce this problem:

Please try setting the pref "network.automatic-ntlm-auth.allow-proxies" to
false.  You can change this pref by loading about:config in the browser.

Also, it would help to know if anyone experiences this problem on platforms
other than Windows.

Thanks!
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta
Hi

First thanks for your time and support.

I re-installed mozilla 1.7.5 release.
I reproduced the initial bug.
Then I set up "network.automatic-ntlm-auth.allow-proxies" to false as you suggested.
Now the browser is prompting for user/password the same way than with 1.7.3.

As far as I tested, it seems to work fine in this configuration.

Is automatic-ntlm-auth a new feature ?


> Is automatic-ntlm-auth a new feature ?

Yes, it is a new feature.  The intent is to first try using the built-in NTLM
module on your system (called Microsoft SSPI).  That module will attempt to use
your Windows logon as the NTLM credentials.  If it fails, then we _should_
failover to Mozilla's NTLM module, which means behaving like Moz 1.7.3, etc.  It
would seem that that failover code is not working properly in your case.

You could help me a great deal by restoring the default configuration, and then
capture a Mozilla HTTP log for me using these instructions:
http://www.mozilla.org/project/netlib/http/http-debugging.html

When you have the log file, please attach it to this bug report using the
"Create a New Attachment" link above.  Or, if you prefer you can send it to me
directly via email.

Thanks again!
Summary: NTLM Auth with MS-Proxy now failed with Mozilla 1.7.5 → automatic-ntlm auth with MS-Proxy sometimes fails with Mozilla 1.7.5 / Firefox 1.0
> You could help me a great deal by restoring the default configuration, and then
> capture a Mozilla HTTP log for me using these instructions:
> http://www.mozilla.org/project/netlib/http/http-debugging.html

I get a 404 file not found error with this url

(In reply to comment #8)
> When you have the log file, please attach it to this bug report using the
> "Create a New Attachment" link above.  Or, if you prefer you can send it to me
> directly via email.

Done. I sent the log to you via email.

Thanks for the log file.

Here's some interesting bits from the log file:

247[76a1a0]: http response [
247[76a1a0]:   HTTP/1.1 407 Proxy Authentication Required ( The ISA Server
requires authorization to
247[76a1a0]:   Via: 1.1 PROXY
247[76a1a0]:   Proxy-Authenticate: NTLM
Kerberos
Negotiate
247[76a1a0]:   Pragma: no-cache
247[76a1a0]:   Cache-Control: no-cache
247[76a1a0]:   Content-Type: text/html
247[76a1a0]:   Content-Length: 3759
247[76a1a0]: ]
...
0[751e70]: nsHttpChannel::ProcessAuthentication [this=1fddad0 code=407]
0[751e70]: nsHttpChannel::GetAuthenticator [this=1fddad0]
0[751e70]: nsHttpChannel::GetCredentialsForChallenge [this=1fddad0 proxyAuth=1
challenges=NTLM]
0[751e70]: nsHttpAuthCache::GetAuthEntryForDomain [key=http://172.16.252.5:8080
realm=]
0[751e70]: nsHttpNTLMAuth::ChallengeReceived
0[751e70]:   identity invalid = 0
0[751e70]: nsHttpNTLMAuth::GenerateCredentials
0[751e70]: nsHttpChannel::GetAuthenticator [this=1fddad0]
0[751e70]: nsHttpChannel::GetAuthenticator [this=1fddad0]
0[751e70]: nsHttpChannel::GetCredentialsForChallenge [this=1fddad0 proxyAuth=1
challenges=Negotiate]
0[751e70]: nsHttpAuthCache::GetAuthEntryForDomain [key=http://172.16.252.5:8080
realm=]
0[751e70]: unable to authenticate
0[751e70]: ProcessAuthentication failed [rv=80004004]

What it tells me is that nsHttpNTLMAuth::GenerateCredentials is failing.  That's
interesting because normally it succeeds since it is just sending some flags at
this stage.

I believe we get confused by this error condition and then never re-try NTLM,
and hence we never failover to our built-in NTLM module.  So, it seems to me
that the user's system has a busted SSPI or something like that.  We should
probably failover immediately if SSPI ever fails to generate credentials. 
Summary: automatic-ntlm auth with MS-Proxy sometimes fails with Mozilla 1.7.5 / Firefox 1.0 → Failover from automatic to built-in NTLM auth with MS-Proxy sometimes fails with Mozilla 1.7.5 / Firefox 1.0
Flags: blocking1.8b? → blocking1.8b+
Darin, so do you think this is something important to fix for the upcoming 1.8
gecko releases?
Flags: blocking1.8b+ → blocking1.8b2?
yes, i think it is important for 1.8 beta (1 or 2)
No traction here, not going to wait for this fix.
Flags: blocking1.7.6+ → blocking1.7.6-
Priority: -- → P2
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2
Darin, are you going to be able to get at this in the next few days? We're
coming up fast on 1.8b2.
Flags: blocking1.8b3?
Flags: blocking1.8b2?
Flags: blocking1.8b2-
Flags: blocking1.8b4?
Flags: blocking1.8b3?
Flags: blocking1.8b3-
Flags: blocking1.8b2-
Whiteboard: [no l10n impact]
I think this bug should remain on the radar for Gecko 1.8
Keywords: helpwanted
Target Milestone: mozilla1.8beta2 → mozilla1.8beta4
Flags: blocking1.8b4? → blocking1.8b4+
Flags: blocking1.8b4-
Flags: blocking1.8b4+
Flags: blocking-aviary1.5+
Flags: blocking-aviary1.5+
Target Milestone: mozilla1.8beta4 → mozilla1.9alpha
*** Bug 326045 has been marked as a duplicate of this bug. ***
-> reassign to default owner
Assignee: darin.moz → nobody
Status: ASSIGNED → NEW
QA Contact: benc → networking
Hello!

I am not sure, if i am right here (i am a newby here), but we have this issue with firefox v28 and the Blue Coat ProxySG as well. The problem is, that it does not occure all the time. Sometimes surfing works fine and sometimes the popup arrises. Of course with MS-IE everythink works fine. The strange thing ist, that on the configuration on the proxysgs nothing has changed and the NTLM worked fine with Firefox for a long time.

Does anyone have the same issiue with Firefox v28?

Best regards
Martin
(In reply to Martin Peinsipp from comment #20)
> Hello!
> 
> I am not sure, if i am right here (i am a newby here), but we have this
> issue with firefox v28 and the Blue Coat ProxySG as well. The problem is,
> that it does not occure all the time. Sometimes surfing works fine and
> sometimes the popup arrises. Of course with MS-IE everythink works fine. The
> strange thing ist, that on the configuration on the proxysgs nothing has
> changed and the NTLM worked fine with Firefox for a long time.
> 
> Does anyone have the same issiue with Firefox v28?
> 
> Best regards
> Martin

Hi!

I am sorry, i think this is the wrong threat.

martin
Whiteboard: [no l10n impact] → [no l10n impact][ntlm] [necko-would-take]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P2 → P5

Marking this as Resolved > Incomplete since the last activity on this issue was 8 years ago and it might not be relevant anymore.
Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.