Open Bug 199674 Opened 21 years ago Updated 3 years ago

Improve NTLM auth UI (add domain field to auth prompt)

Categories

(Core :: Networking: HTTP, enhancement, P5)

Product:
Core
Component:
Networking: HTTP
Type:
enhancement

Tracking

()

Milestone:
mozilla1.9alpha1

People

(Reporter: darin.moz, Unassigned)

References

Details

(Keywords: helpwanted, Whiteboard: [NTLM][necko-backlog]) 

Improve NTLM auth UI

see bug 199644 for related comments.
Severity: normal → enhancement
Status: NEW → ASSIGNED
Keywords: nsbeta1
Priority: -- → P3
Target Milestone: --- → mozilla1.4beta
Whiteboard: Darin Fisher, would you mind describe what you want in a comment and change the summary to better reflect it?
sure, this bug is about the following:

1- provide an auth prompt with 3 fields {username, password, domain} for NTLM
authentication.

2- suppress trying to show the user any kind of realm string since there isn't
any for NTLM auth.
Summary: Improve NTLM auth UI → Improve NTLM auth UI (add domain field to auth prompt)
Whiteboard: Darin Fisher, would you mind describe what you want in a comment and change the summary to better reflect it?
Using IE6 on Windowx XP, the dialog I get for NTLM authentication has only a
single field for the user, and you have to enter the domain and user as
domain\user.  I do not think Mozilla needs separate fields for domain and user.
Whiteboard: [NTLM]
Priority: P3 → P2
adt: nsbeta1-
Keywords: nsbeta1nsbeta1-
I also noticed that most of my servers return a realm of the IP address of the
server, we map a realm w/ the IP address to the hostname in the "Host:" line. I
looked for other bugs, and found none.

I think we should be showing the IP address, and not mapping the value
gratuitiously. 

Let me know if this should be a separate bug, or part of this UI fix.
How about an tick box option that enables a site to recieve NTLM creditals from 
the OS, similar to a remember my login info...  Note, that this would be 
different from the remember my login info because it would use the LAN 
login - at the company I work for, we have a password policy that forces us 
to change our passwords once a month and a strict policy of single sign-on for 
our business reps (who can become confused when faced with any prompt).

First of all, thank you for implementing this. I had an opportunity to be
required to use it today and I'm happy I didn't have to revert to IE to view the
site.  The UI issues in the login dialog are something that should be looked
into, but they do not prevent it from being useful.

I second comment #5, I too would like to see Mozilla be able to get the login
credentials from Windows.  I was able to confirm that IE uses the current
logged-in Windows user to authenticate, which saves a step.  Of course there are
security issues with that, but that's MSFT, right?
credentials request (security issue) is covered by Darin in bug 199644 comment 4.
Blocks: 214599
I concur with comments 5 and 6. The option to transparently pass-thru the
username and password on windows would be a big plus in sites that are heavily
reliant on Windows Integrated Authentication.

Firefox is getting a lot more exposure now particularly in IE windows using
sites. However one of the first things that grates with IE users kicking the
tires, is the lack of an option to just pass-thru the credentials, they get
confused and think that its reverting to basic authentication when it should
just work.
The transparent pass-thru seems to be covered in <a
href="http://bugzilla.mozilla.org/show_bug.cgi?id=231529">Bug #231529</a>.
*** Bug 251358 has been marked as a duplicate of this bug. ***
From bug 251358:

>If the domain is ommitted firefox SWAPS domain and username in smb-type3msg:
>The NT-domain should allways be placed at offset 0x40, but firefox puts the
>username there. The domain is stored at offset 0x40+strlen(domain).
Keywords: helpwanted
Priority: P2 → --
Target Milestone: mozilla1.4beta → mozilla1.8beta
OK, question... does NTLM provide a "default" domain that should be prefilled in
the dialog? Alternatively, can mozilla get a domain to prefill via some other way?

asking because I'd like to design a useful api for bug 265780 and need to know
whether this should be an out or inout parameter.
the domain is like the username... it should be an inout param.  it may be
possible to specify an escaped 'domain\username' in the username portion of a
URL string.
one possible workaround for this would be to change nsIAuthPrompt's savePassword
integer param into a flags param, and then define a new flag that tells the
nsIAuthPrompt implementation to optionally prompt the user for a domain as well
as a username.  then the prompt could assemble the two into a single username
value (domain\username) before returning it to the prompt caller.

the nice thing about that solution is that it would work even with old prompt
implementations since they'd just show the single username field as we do today.

the change can be made without breaking binary compat, so i think that's
probably the best thing to do for this bug.

nsIAuthPrompt2 can still provide a better API, but nsIAuthPrompt2's main reason
for being is not this bug.
(In reply to comment #14)
> one possible workaround for this would be to change nsIAuthPrompt's savePassword
> integer param into a flags param, and then define a new flag that tells the
> nsIAuthPrompt implementation to optionally prompt the user for a domain as well
> as a username.

Do we want to stay compatible with current implementors of nsIAuthPrompt, or
only with callers?
> Do we want to stay compatible with current implementors of nsIAuthPrompt, or
> only with callers?

with both.  the change i was proposing could be done as an optional flag.  if
ignored by the implementor, then no big deal.  if not set by the caller, then no
big deal.
(In reply to comment #16)
> with both.  the change i was proposing could be done as an optional flag.  if
> ignored by the implementor, then no big deal.  if not set by the caller, then no
> big deal.

current implementors probably test for equality with SAVE_PASSWORD_PERMANENTLY
etc, no? consider for example
http://lxr.mozilla.org/seamonkey/source/extensions/wallet/src/singsign.cpp#446

if people should now use &, current impls will fail...
> current implementors probably test for equality with SAVE_PASSWORD_PERMANENTLY
...
> if people should now use &, current impls will fail...

hmm, good point.  another issue is the fact that this integer isn't forwarded
through nsIPromptService, so we'd still need nsIPromptService2 to actually
implement this bug :-(

ok, i guess we do need a new interface here.
Along the lines of creating a new UI for NTLM authentication, this may be a good
place to provide a UI for the network.automatic-ntlm-auth.trusted-uris whitelist.

I’d suggest something like this:

+--------------------------------------------------------------+
|Login to [realm, if available]/[domain name]                X |               
                                         
+--------------------------------------------------------------+
| +---+ The page you have requested is asking you to login     |
| | i | with your Windows username and password.  You should   |
| + --+ only agree if you trust [realm] on [domain name].      |
| |/                                                           |
|       ( ) Login with my Windows username and password:       |
|           ( ) this time only.                                |
|           ( ) always for [realm/domain name].                |
|                                                              |
|       ( ) Use different credentials to login:                |
|           Domain:   [ ?Prefill current domain?   ]           |  
|           Username: [ ?Prefill current username? ]           |
|           Password: [ Blank                      ]           |
|          ( ) Use password manager to remember this password. |
|                                                              |
|                     (   OK   )  ( Cancel )                   |
+--------------------------------------------------------------+

Where selecting Login with my Windows username and password always for
[realm/domain name] would add the domain name to the
network.automatic-ntlm-auth.trusted-uris whitelist.
Priority: -- → P2
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2
Target Milestone: mozilla1.8beta2 → mozilla1.9alpha
Priority: P2 → P4
My UI suggestion: -

Autofill domain\user logged onto Windows (as per Bug 374117) but always prompt for password to save entering username, but maintain security. Allow change of user via link. Maybe include URL to explanation of what "challenge type" is in title of dialog?

+----------------------------------------------------------------------------                
| Enter [URL]"NTLM" Password
+----------------------------------------------------------------------------
| Logging into [realm]/[domain]              
| 
| User: [Autofill]<Domain\Username> (READONLY)      [URL]"Change..."
| Password: [Asterisk text entry]
| 
| BIG EXCLAMATION MARK LOGO!
| WARNING: Do not set these options unless you trust the site [realm]/domain
| [CheckBox] Use Password Manager to remember this password
| [CheckBox] Always log in to the site as <Domain\Username>
| (borrow from "User" string above)
-----------------------------------------------------------------------------
Clicking on the Change user URL would hopefully open a dialog that presents the user with a tree view of users for their domain: -
DOMAIN+/-
  USER 1
  USER 2
  USER 3

"Always log into site" should return unchecked if the chosen user is not able to access the target domain due to wrong permissions or password. Otherwise, an infinite loop of failed logins would occur.

-> reassign to default owner
Assignee: darin.moz → nobody
Status: ASSIGNED → NEW
Whiteboard: [NTLM] → [NTLM][necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P4 → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3

Bulk-downgrade of unassigned, >=3 years untouched DOM/Storage bug's priority.

If you have reason to believe this is wrong, please write a comment and ni :jstutte.

Severity: normal → S4
Priority: P3 → P5
You need to log in before you can comment on or make changes to this bug.