NTLM Auth with bad password floods network

RESOLVED FIXED in mozilla1.8beta1

Status

()

Core
Networking: HTTP
--
critical
RESOLVED FIXED
14 years ago
14 years ago

People

(Reporter: Rich Loose, Assigned: Darin Fisher)

Tracking

Trunk
mozilla1.8beta1
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10

I am hitting a protected page on a Windows 2003 box running IIS.

The server responds with 401 auth required, with WWW-Negotiate headers
indicating a willingness to do Negotiate, NTLM, and basic auth.

Browser prompts for user/password.  Supply a bad password, or an account that
doesn't exist, or an account that is locked.

Browser sends the NTLM Neg request.

Server sends back the NTLM challenge.

Browser sends the NTLM Auth request.

Server sends back Auth-required as before.

So far so good, but then the browser (without prompting for another
user/password) initiates the authentication dance all over again with the same
credentails, stubbornly flooding the network with the same authentication sequence.

Although reported on the Windows browser, the Linux browser has the same
problem: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040914 Firefox/0.10

I am not using any password management, and have Ethereal traces if anyone is
interested.

Reproducible: Always
Steps to Reproduce:
Auth --> Darin
Assignee: dveditz → darin
Component: Security: General → Networking: HTTP
(Assignee)

Comment 2

14 years ago
I wonder if my patch for bug 256949 will help this problem.

Rich: If you are willing to send me those ethereal traces I'd appreciate it, thx!
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → mozilla1.8beta
(Assignee)

Comment 3

14 years ago
A Mozilla HTTP log would be nice too.  Instructions here:

  http://www.mozilla.org/projects/netlib/http/http-debugging.html

Thanks!
(Reporter)

Comment 4

14 years ago
Created attachment 159865 [details]
Ethereal trace of the problem

Darin, here's an Ethereal trace of the problem.  - Rich
(Assignee)

Comment 5

14 years ago
Rich: Thanks! Can you please supply the Mozilla HTTP log as well. See comment #3.
(Assignee)

Comment 6

14 years ago
my latest patch for bug 256949 fixes this bug.
Depends on: 256949
(Assignee)

Comment 7

14 years ago
marking FIXED, now that my patch for bug 256949 went in on the trunk, 1.7
branch, and aviary-1.0 branch.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
(Assignee)

Comment 8

14 years ago
*** Bug 259854 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 9

14 years ago
*** Bug 259344 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 10

14 years ago
*** Bug 265609 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.