477410 - Login to server failed / cannot log in because you have enabled secure authentication

Status: VERIFIED INVALID

(MailNews Core :: Networking, defect)

Description

[Jack Eidsness]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090207 Shiretoko/3.1b3pre (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090207 Shredder/3.0b2pre

I have had this problem only with 20090206 and 20090207 versions of Shredder.  I believe I've experienced these symptoms with Shredder before, but it got fixed.

First, it doesn't work while it did earlier this week;  It still works with no changed settings, in the released version of thunderbird.  Secondly, the error message is just wrong.  The server does support secure authentication.  That bogus error message comes up when my password expires, too.  I checked that first, it's fine, and still works with TB 2, and I'm sure it would work with a trunk build from earlier this week, too.


Reproducible: Always

Steps to Reproduce:
1. Try to log in to exchange server
2. View error messages
3. Stop trying to log in, before it gets your account locked out

Actual Results:  
Login to server 10.x.x.x failed (click ok)
"You cannot log in to 10.x.x.x because you have enabled secure authentication and this server does not support it.
To log in, turn off secure authentication for this account"

Expected Results:  
Login should be successful, as it is with TB 2.  I use the same profile with both versions.

Turning off secure authentication doesn't sound like really great advice to give away so freely.  I don't know how people can stand to log into a server with neither SSL/TLS nor at least secure authentication (preferably the former, but I take what I can get around here).

Comment 1

[WADA:World Anti-bad-Duping Agency]

AFAIR, "automatic fall-back to insecure connection" was disabled by a trunk build.
So, I think phenomenon you explained can occur with newer trunk builds in some siituations(depends on server side setup, CAPABILITY response, and your account setting).
Get IMAP log, and check IMAP flow.
> Getting log: See Bug 402793 Comment #1
> IMAP command/response(RFC 3501) : http://www.faqs.org/rfcs/rfc3501.html
If Tb-trunk's fault is seen in log, and if log analysis by developers will be
required, attach log to this bug(never paste, please)

Comment 2

[Jack Eidsness]

I used wireshark to see what was happening, and I'm going to just attach these cropped screen shots.
There is one for thunderbird 2 where it works, and we can see that it IS successfully using NTLM to authenticate and another for a trunk build from 1/31.  Both attempts were done seconds apart, same server, same profile, same account, just different versions of thunderbird/shredder.  Today I used a build from 1/31 because I was just experimenting to see when this started, but I presume its the same result as todays (I saw it fail, but didnt look at a log), or from the 7th when I filed this bug.

The log shows 
"Response: 2 NO Logon failure: unknown user name or bad password"
when NTLM authentication is attempted.

Comment 3

[Jack Eidsness]

Attachment: wireshark's log of IMAP packets during NTLM attempt, shredder from 1/31

Comment 4

[Jack Eidsness]

Attachment: wireshark's log of IMAP packets during NTLM attempt, thunderbird 2.0.0.19, same server

Comment 5

[WADA:World Anti-bad-Duping Agency]

FYI. Following is bugs who have "NTLM" in summary(bug_number>400000 only). 
> Bug 423758 Firefox can't authenticate to IIS when minimum NTLM level set to v2
> Bug 439463 Firefox ask user and password on every CONNECT to an NTLM authenticated proxy
> Bug 452781 Allow specifying wildcard that matches all simple netbiosnames in network.automatic-ntlm-auth.trusted-uris
> Bug 455592 Firefox on windows Vista SP1 prompts for credentials when accessing website which uses NTLM
> Bug 455892 NTLM authentication fails when FIPS enabled.
> Bug 468334 NTLM authentication does not work with IIS7 error 0x80090308
> Bug 478018 Firefox shows auth pop-up when doing NTLM auth

Comment 6

[Jack Eidsness]

I've given each of those a once-over and I don't believe my problem is the same as any of those.  Thanks!

Also, here's some more info about my affected IMAP server:

* OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 ([hostname removed]) ready.
1 capability
* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN AUTH=NTLM
1 OK CAPABILITY completed.

Comment 7

[Jack Eidsness]

I found out what was wrong.  I was not aware that Thunderbird 2 & shredder are somehow using different saved password databases.  I'll read up on that, I guess.   I was actually using shredder when I changed my password, I am fairly certain, and it even worked, until I restarted, which was also time for an update.  After the restart and update, somehow it was still using the database that included my old password.  Instead of prompting me to try to enter in my password again, it would tell me that I had to stop using NTLM.  This is clearly a bad instruction, and my investigation stopped there for the time being.  At this point, I had probably been connected using the new password for quite a few hours.
I switched to thunderbird 2, and it somehow was able to read the database that included my updated password, so I never made the connection until today, when I decided to throw security into the trash, and run wireshark while connecting without NTLM at all - that is how I saw that the old password was being used.

I don't know if that's actually possible or not, but it's the best explanation I could come up with.   I guess that makes this bug INVALID, unless it's a dupe due to the "stop using NTLM" message on bad password

Comment 8

[Magnus Melin [:mkmelin]]

->INVALID per comment 7