Summary: | konqueror fails to authenticate with NTLM post 4.2 upgrade, worked with 4.1 | ||
---|---|---|---|
Product: | [Frameworks and Libraries] kio | Reporter: | Mike Pope <mpope> |
Component: | http | Assignee: | kdelibs bugs <kdelibs-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | adawit, ahartmetz, bernhard, bugs.kde.org, faure, greeneg, jajones, jp7677, kdebugs, miso, rasasi78, roa, Samuele.Kaplun, spillner, thiemel |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Fedora RPMs | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Attachments: | Identification box greyed out |
Description
Mike Pope
2009-02-17 05:28:28 UTC
Same problem here ! I have interesting information in my ~/.xsession-errors : NTLM Authorization seems not to be supported. Problem with the link to libkntlm4 ? kio_http(31510)/kio_http_debug HTTPProtocol::configAuth: Unsupported or invalid authorization type requested kio_http(31510)/kio_http_debug HTTPProtocol::configAuth: Proxy URL: KUrl("http://proxynew.telindus.be:8080") kio_http(31510)/kio_http_debug HTTPProtocol::configAuth: Request Authorization: "NTLM" kio_http(31510)/kio (TCPSlaveBase) KIO::TCPSlaveBase::disconnectFromHost: kded(30407)/kio (KIOJob) KIO::SlaveInterface::dispatch: error 108 "Unknown Authorization method!" Created attachment 31596 [details]
Identification box greyed out
Something interesting too : the "identification" field is greyed out (see attached screenshot)
Reported downstream on the Mandriva Bugzilla (it is also affecting Mandriva cooker) : https://qa.mandriva.com/show_bug.cgi?id=47723 Fixed in KDE 4.2.1 for me. Not fixed yet for me, although there has clearly been progress. I can see konqueror sending an initial request, receiving a 407, retrying with NTLM_NEGOTIATE parameters, receiving another 407 with NTLMSSP_CHALLENGE parameters, retrying again with NTLM_AUTHENTICATE parameters, and finally getting a plain 407 with the official "you need to authenticate" page from the proxy. AFAICT the NTLM_AUTHENTICATE data is at least rational. I can see the correct user and realm therein. It just does not work. Doing the same procedure with firefox yields an identical sequence of packets up to the final 407 which is replaced with correct access to the external website. Hmmm, I agree and I concurr : NTML authentication doesn't work when logging into a website with NTML authentication. I also see the same thing that you do : the final response from konqueror is not right and the server denies access. Same userid and password in firefox leads to a successful login into the website. Seems like there's a mistake in kde's challenge/response NTLM library. Could KDE devs use libntlm (http://josefsson.org/libntlm/) (instead of the internal libkntlm4) ? I'm also puzzled because when I have to go out to the internet I need to use a NTLM authenticating proxy and *this* works... Same here, any site that runs on IIS6 and uses Windows Authentication can't be opened (KDE 4.2.3) If I understand correctly comments from thiago in bug #155707 , NTLMv2 is not supported, but NTLMv1 is. This may explain why I can access the web through the NTLM authenticating proxy but not the internal windows servers. Still present in 4.2.4. Can't log in to any corporate intranet sites or use kmail to check email due to NTLM login failures, so this makes KDE completely unusable for me. Can confirm this is still present in 4.3.2 *** Bug 214838 has been marked as a duplicate of this bug. *** kde 4.4RC2 is affected too *** This bug has been confirmed by popular vote. *** I can confirm this against the OWA site for my work as well under trunk. This is a blocker for those of us forced to use Exchange. I've a test account on our Exchange server here that I can give out for seeing if konqy will connect or not. Contact me outside the bug system for those credentials for testing. Thanks. This report is still valid voor KDE 4.4 (Opensuse). I can't successfully authenticate against a standard Microsoft IIS with Windows Authentication like Exchange OWA with neither Konqueror nor rekonq (0.4 beta). Firefox works just fine. As far as I can judge it comes down to kio: http://websvn.kde.org/trunk/KDE/kdelibs/kioslave/http/httpauthentication.cpp?view=log Regards, Jens Can anyone one of you here post the full sanitized debug output from kio_http here ? Jens was kind enough to make a test server available to me and the debug output I get shows that the failure is immediate for me. At the very first step (type 1) with the error shown below. I want to see how many of you get the same authentication (Negoitiate) failure vs NTLM failure. NOTE: that you can enable debug output to a separate file by invoking "kdebugdialog --fullmode" from krunner and sending the "Information output" to a file of your choice. You can use a full path like /tmp/kio_http.log... kio_http(21066) HTTPProtocol::sendQuery: ============ Sending Header: kio_http(21066) HTTPProtocol::sendQuery: "GET / HTTP/1.1" kio_http(21066) HTTPProtocol::sendQuery: "Host: XXXXXXXXXXXXXXXXXXXXXX" kio_http(21066) HTTPProtocol::sendQuery: "Connection: Keep-Alive" kio_http(21066) HTTPProtocol::sendQuery: "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en_US) AppleWebKit/533.3 (KHTML, like Gecko) Konqueror/4.4 Safari/533.3" kio_http(21066) HTTPProtocol::sendQuery: "Pragma: no-cache" kio_http(21066) HTTPProtocol::sendQuery: "Cache-control: no-cache" kio_http(21066) HTTPProtocol::sendQuery: "Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8" kio_http(21066) HTTPProtocol::sendQuery: "Accept-Encoding: x-gzip, x-deflate, gzip, deflate" kio_http(21066) HTTPProtocol::sendQuery: "Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5" kio_http(21066) HTTPProtocol::sendQuery: "Accept-Language: en-US,en;q=0.9" kio_http(21066)/kio_http_debug HTTPProtocol::httpShouldCloseConnection: Keep Alive: true kio_http(21066)/kio_http_debug HTTPProtocol::httpOpenConnection: kio_http(21066)/kio_http_debug HTTPProtocol::sendQuery: sent it! kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: kio_http(21066) HTTPProtocol::readResponseHeader: ============ Received Status Response: kio_http(21066) HTTPProtocol::readResponseHeader: "HTTP/1.1 401 Unauthorized" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: -- full response: "HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Sun, 18 Apr 2010 20:46:21 GMT" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: Content-type: "text/html" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: parsing authentication request; response code = 401 kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: strongest authentication scheme offered is "Negotiate" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: pointer to auth class is now 0x8e20b38 kio_http(21066)/kio_http_debug KHttpNegotiateAuthentication::generateResponse: found SPNEGO mech kio_http(21066)/kio_http_debug KHttpNegotiateAuthentication::generateResponse: gss_init_sec_context failed: " An unsupported mechanism was requested unknown mech-code 0 for mech unknown " kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: auth state: isError true needCredentials true forceKeepAlive false forceDisconnect false headerFragment "" SVN commit 1117542 by adawit: Do not force disconnect the HTTP connection in the middle of NTLM authentication. This along with the changes committed to kdelibs/kio/misc/kntlm/kntlm.cpp should address most, if not all, NTLM authentication related bugs. A great deal of credit and thanks to Jens Peters for helping resolve this problem. BUG:184588 M +13 -12 httpauthentication.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1117542 *** Bug 192544 has been marked as a duplicate of this bug. *** *** Bug 138088 has been marked as a duplicate of this bug. *** *** Bug 107384 has been marked as a duplicate of this bug. *** *** Bug 150954 has been marked as a duplicate of this bug. *** |