MozillaZine

Possible pb with ntlm proxy authentication in ff 3.6b4

Discussion about official Mozilla Firefox builds
suricate
 
Posts: 4
Joined: August 22nd, 2008, 1:24 am

Post Posted December 15th, 2009, 5:46 am

Hi all,

After upgrading to 3.6b4, i can't use my corporate proxy server anymore.
It requires ntlm authentication and firefox does not seem to handle it correctly.

Here is what I observed while trying to connect to http://www.free.fr :
First, the browser sends a GET request to the proxy
The proxy gives a 407 ( proxy authentication required )
Then, the browser pop's up a login/passwd window ( because i've switched the network.automatic-ntlm-auth.allow-proxies to false )
I enter the correct login/passwd
Everything is ok up to now.

But then, the browser sends a DNS query A http://www.free.fr ... strange no ?
Of course, it does not get an answer from my internal dnsserver, thus the body of the 407 error pages shows up.

My understanding is that after entering the login/passwd, the browser should send a new GET request to the proxy with the NTLM Proxy-Authorization header ( as explained here : http://curl.haxx.se/rfc/ntlm.html#ntlmHttpAuthentication)

Does anyone share the same issue ?

jmathies

User avatar
 
Posts: 6
Joined: July 2nd, 2008, 10:54 am
Location: Florida, USA

Post Posted December 15th, 2009, 10:19 pm

We made some changes to Windows NTLM handling that landed around beta 3 or 4. First, with single sign-on approved hosts, we now pass a valid service name to the win32 apis that handle NTLM authentication. That change was pretty minor but important. The second change was significant, we turned off the use of our internal NTLM implementation and now rely entirely on Microsoft apis for authentication. These are the same calls we've made for single sign-on we just now use them for user/pass auth as well. (We made these changes for security reasons.)

There is a pref that kicks the old auth module back in -

http://mxr.mozilla.org/mozilla-central/ ... all.js#835

Although I wouldn't recommend using it unless you trust the hosts you're connecting to.

If you're having trouble authorizing to a proxy, I'd be happy to try and help track down the issue. You can mail me directly at jmathies@mozilla.com too if need be. Dumping the ntlm log might be a good first step in figuring out what's going on.

https://developer.mozilla.org/en/HTTP_Logging

NSPR_LOG_MODULES=nsHttp:3,negotiateauth:4,NTLM:4

Jim

suricate
 
Posts: 4
Joined: August 22nd, 2008, 1:24 am

Post Posted December 16th, 2009, 3:32 am

Thanks,

Switching network.auth.force-generic-ntlm to true solves the problem
I'll PM you the logfile

Jim too
 
Posts: 483
Joined: December 29th, 2003, 11:16 am

Post Posted December 16th, 2009, 5:49 am

In perhaps a related problem, I started having trouble accessing an internal (corporate) RSS feed (this was using nightly Shredder builds). No proxies are involved. I copied the link and tried loading the same page using Minefield and see the same error. I see this on all corporate web pages that required a usercode/password for access. Changing network.auth.force-generic-ntlm to true restores access to the web pages (in both Shredder and Minefield). How should I collect information that would shed light on what is happening?

The reported error is:
You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept.
HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.
Internet Information Services (IIS)

OS is Windows XP Pro SP3

ndixon
 
Posts: 6
Joined: February 10th, 2004, 1:11 am
Location: Leeds, UK

Post Posted December 16th, 2009, 7:48 am

I'm seeing something similar in 20091215, but not in 20091214 and earlier nightlies when interacting with our corporate proxy server.

The latest nightly requests a username/password for certain sites (gmail.com is one).
And update requests to aus2.mozilla.org fail.

I see a 407 response, and repeated attempts at entering the username/password pair seem to have no effect.
Setting network.auth.force-generic-ntlm from false to true has no effect either.

Build Id is:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b6pre) Gecko/20091215 Namoroka/3.6b6pre

jmathies

User avatar
 
Posts: 6
Joined: July 2nd, 2008, 10:54 am
Location: Florida, USA

Post Posted December 16th, 2009, 8:35 am

I've filed "Bug 535193 - DNS resolution in MakeSN of nsAuthSSPI causing auth issues?" on the original problem suricate posted about.

jmathies

User avatar
 
Posts: 6
Joined: July 2nd, 2008, 10:54 am
Location: Florida, USA

Post Posted December 16th, 2009, 10:41 am

ndixon wrote:I'm seeing something similar in 20091215, but not in 20091214 and earlier nightlies when interacting with our corporate proxy server.

The latest nightly requests a username/password for certain sites (gmail.com is one).
And update requests to aus2.mozilla.org fail.

I see a 407 response, and repeated attempts at entering the username/password pair seem to have no effect.
Setting network.auth.force-generic-ntlm from false to true has no effect either.

Build Id is:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b6pre) Gecko/20091215 Namoroka/3.6b6pre


There's a problem on nightlies /1.9.2 right now with NTLM unrelated to this. This should be addressed today.

jmathies

User avatar
 
Posts: 6
Joined: July 2nd, 2008, 10:54 am
Location: Florida, USA

Post Posted December 16th, 2009, 4:16 pm

I have two try builds put together that drop the canonical host lookups from nsAuthSSPI when building a service name. If anyone experiencing this problem would care to take them for a spin and report back I'd appreciate it.

trunk:
https://build.mozilla.org/tryserver-bui ... stall/sea/
3.5.6:
https://build.mozilla.org/tryserver-bui ... stall/sea/

mj315
 
Posts: 1
Joined: December 17th, 2009, 3:42 am

Post Posted December 17th, 2009, 3:45 am

Hello,

i downloaded the 535193-191-win32.installer.exe and installed the Shiretoko 3.5.7pre preversion.

IT WORKS FINE AGAIN - THX

regards
Josef

jmathies

User avatar
 
Posts: 6
Joined: July 2nd, 2008, 10:54 am
Location: Florida, USA

Post Posted January 6th, 2010, 2:50 pm

3.5.7 went out today which should address the proxy issues in 3.5.6 people were experiencing.

RvdS
 
Posts: 8
Joined: February 1st, 2010, 12:27 am

Post Posted February 1st, 2010, 12:30 am

This was solved in 3.5.7, but is now back in 3.6 final!! :evil: ](*,) :roll:

After upgrading, I keep on getting a dialog box requesting credentials from our corporate (Squid) proxy server. Filling them in does not help. No access to the internet.

Only reverting to 3.5.7. helps.

RvdS
 
Posts: 8
Joined: February 1st, 2010, 12:27 am

Post Posted February 1st, 2010, 12:31 am

...

Grotaiche
 
Posts: 1
Joined: February 1st, 2010, 4:33 am

Post Posted February 1st, 2010, 4:36 am

Same problem here, filling the correct info in the dialog box only leads to another dialog box prompting for login/pwd.
This is the case only for https though, as normal http seems to work. A rollback to 3.5.7 fixes the problem.

RvdS
 
Posts: 8
Joined: February 1st, 2010, 12:27 am

Post Posted February 1st, 2010, 1:21 pm

Glad to see that at least someone else also has the same problem... here it's any address/protocol though...

Hihats
 
Posts: 1
Joined: February 6th, 2010, 6:39 pm

Post Posted February 6th, 2010, 6:47 pm

Problem affects Firefox 3.6 running on Windows XP Home, Vista Home, Windows 7 (all current Microsoft operating systems that are not a member of a Windows Domain).
https://bugzilla.mozilla.org/show_bug.cgi?id=542318

If a windows user logs on to a local user account and then tries to use his NTLM credentials then the problem is occurs. It happens with and without the NTLM service running on the local machine.

Temporary Solutions:

I
1. Backup your bookmarks and uninstall Firefox 3.6
2. Install Firefox 3.5.x and wait for a fixed version 3.6.1 to be released

II
1. Temporarily Use Internet Explorer 8 instead until Mozilla release the next fixed version i.e. 3.6.1

III
1. close Firefox ***edit the java script file all.js

set the pref network.auth.force-generic-ntlm set to “true” in the following file:

c:\program files\mozilla firefox\greprefs\all.js

Return to Firefox Builds


Who is online

Users browsing this forum: No registered users and 6 guests