Thunderbird + Exchange = NTLM does not work

[Dalius]

How could I debug reason why NTLM is not working? I have added proper entries to configuration but NTLM still does not work. I can log-in into Exchange server using IMAP and etc but I would like to have NTLM working as well.

[bkennelly]

NTLM authentication has worked for me with all Thunderbird 2.0.* versions. All I needed to do was select "Use Secure Authentication" on the server settings page for the Exchange IMAP account.

What version of Thunderbird are you using?
What have you tried?
What messages did you get?

[Dalius]

"Use secure connection" does not help.

* Thunderbird version 2.0.0.9 (newest one)

I have tried setting my company's domain in:

network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris

I have tried different configurations but that has not helped as well.

Now about messages. I don't get any usable message from thunderbird itself. It just asks to enter password.

I have enabled logging but I don't get anything useful except the fact that NTLM is enabled:
* CAPABILITY IMAP4 IMAP4rev1 IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN AUTH=NTLM

Later NTLM is not mentioned at all. That's all I could read from the log.

[bkennelly]

Now about messages. I don't get any usable message from thunderbird itself. It just asks to enter password.

And after you enter your password? Does it just keep prompting?

[Dalius]

Now about messages. I don't get any usable message from thunderbird itself. It just asks to enter password.

And after you enter your password? Does it just keep prompting?

It works OK. TB remembers password. However that is against all single sign-on philosophy what NTLM is about. When my windows domain password will expire and I will change it I will need to reenter it in TB. Why? Just because NTLM does not work? So that's why I'm asking how could I debug this problem.

[bkennelly]

So, NTLM works, but you want it to work differently.

Thunderbird implements the authentication protocol indicated by AUTH=NTLM, which is a specific challenge-response mechanism. A good description of NTLM can be found here:http://curl.haxx.se/rfc/ntlm.html#whatIsNtlm. Note that NTLM requires the client to have knowledge of the account password.

[Dalius]

No. NTLM does not work. For example I can access internal websites using FireFox without entering password (NTLM says who I'm to those sites). TB requires my password anyway even if I said that I allow those sites to verify my identity using NTLM (config entries containing NTLM line). I don't know what happens behind the scenes but if it requires password that means NTLM does not work.

I can make some development work or similar stuff if this problem is not mine only. It would be nice if people who are working on that could contact me (or I could contact them).

[bkennelly]

If you are achieving authenticated login, then NTLM is working as designed and as documented. NTLM authentication requires the client to know the password. It is needed to generate the correct Type 3 response.

That said, Firefox uses the SSPI library for SPNEGO http authentication. SSPI has access to your login credentials, and can generate the necessary responses.
There is an open enhancement request to add SSPI support to Thunderbird. https://bugzilla.mozilla.org/show_bug.cgi?id=284538. Log in to bugzilla and vote for it. Even better, if you can supply the necessary patch, upload it!

[Dalius]

Thank you for explanation and patience explaining it to me

I will supply patch if I make one.

[bkennelly]

I enjoyed it, and learned some new things myself. (I had never associated NTLM with SSO; I only knew it as an authentication mechanism.)

Good luck with the patch.

[PhoenixUA]

Two years passed, but SSO feature still not implemented... very sad... ((

[Guest]

still not working