Version: (using KDE 4.2.0) Compiler: Probably gcc-4.3.2, but I am using fedora binary RPMs OS: Linux Installed from: Fedora RPMs This is what I reported on bugzilla.redhat.com (#485848). I was advised to report upstream. Since "upgrading" to kde 4.2 konqueror no longer handles the NTLM challenge from the corporate proxy server, preventing all external web access. Akregator is likewise borked. This is a serious regression from the last kde 4.1 package. Version-Release number of selected component (if applicable): kdebase-4.2.0-2.fc10.i386 How reproducible: Attempt to access any non-local URL with konqueror. Actual results: Proxy replies with "407 Authentication Required", and konqueror stops there. I can provide tcpdump output if it helps. Expected results: On receipt of the 407 konqueror should try to find a suitable username/password in an available wallet or prompt the user for such, and retry with that, satisfying the proxy and allowing the connection to proceed. Additional info: The proxy is specified with "Configure - Konqueror/Proxy/Manual specify the proxy settings", which have been checked and verified to work with firefox, same as they did before the upgrade. However using the auto-proxy url produces the same breakage. I have tried clearing kwallet, reinitializing with known good passwords, restarting etc, to no effect. I have cleared every cache I can find.
Same problem here ! I have interesting information in my ~/.xsession-errors : NTLM Authorization seems not to be supported. Problem with the link to libkntlm4 ? kio_http(31510)/kio_http_debug HTTPProtocol::configAuth: Unsupported or invalid authorization type requested kio_http(31510)/kio_http_debug HTTPProtocol::configAuth: Proxy URL: KUrl("http://proxynew.telindus.be:8080") kio_http(31510)/kio_http_debug HTTPProtocol::configAuth: Request Authorization: "NTLM" kio_http(31510)/kio (TCPSlaveBase) KIO::TCPSlaveBase::disconnectFromHost: kded(30407)/kio (KIOJob) KIO::SlaveInterface::dispatch: error 108 "Unknown Authorization method!"
Created attachment 31596 [details] Identification box greyed out Something interesting too : the "identification" field is greyed out (see attached screenshot)
Reported downstream on the Mandriva Bugzilla (it is also affecting Mandriva cooker) : https://qa.mandriva.com/show_bug.cgi?id=47723
Fixed in KDE 4.2.1 for me.
Not fixed yet for me, although there has clearly been progress. I can see konqueror sending an initial request, receiving a 407, retrying with NTLM_NEGOTIATE parameters, receiving another 407 with NTLMSSP_CHALLENGE parameters, retrying again with NTLM_AUTHENTICATE parameters, and finally getting a plain 407 with the official "you need to authenticate" page from the proxy. AFAICT the NTLM_AUTHENTICATE data is at least rational. I can see the correct user and realm therein. It just does not work. Doing the same procedure with firefox yields an identical sequence of packets up to the final 407 which is replaced with correct access to the external website.
Hmmm, I agree and I concurr : NTML authentication doesn't work when logging into a website with NTML authentication. I also see the same thing that you do : the final response from konqueror is not right and the server denies access. Same userid and password in firefox leads to a successful login into the website. Seems like there's a mistake in kde's challenge/response NTLM library. Could KDE devs use libntlm (http://josefsson.org/libntlm/) (instead of the internal libkntlm4) ? I'm also puzzled because when I have to go out to the internet I need to use a NTLM authenticating proxy and *this* works...
Same here, any site that runs on IIS6 and uses Windows Authentication can't be opened (KDE 4.2.3)
If I understand correctly comments from thiago in bug #155707 , NTLMv2 is not supported, but NTLMv1 is. This may explain why I can access the web through the NTLM authenticating proxy but not the internal windows servers.
Still present in 4.2.4. Can't log in to any corporate intranet sites or use kmail to check email due to NTLM login failures, so this makes KDE completely unusable for me.
Can confirm this is still present in 4.3.2
*** Bug 214838 has been marked as a duplicate of this bug. ***
kde 4.4RC2 is affected too
*** This bug has been confirmed by popular vote. ***
I can confirm this against the OWA site for my work as well under trunk. This is a blocker for those of us forced to use Exchange. I've a test account on our Exchange server here that I can give out for seeing if konqy will connect or not. Contact me outside the bug system for those credentials for testing. Thanks.
This report is still valid voor KDE 4.4 (Opensuse). I can't successfully authenticate against a standard Microsoft IIS with Windows Authentication like Exchange OWA with neither Konqueror nor rekonq (0.4 beta). Firefox works just fine. As far as I can judge it comes down to kio: http://websvn.kde.org/trunk/KDE/kdelibs/kioslave/http/httpauthentication.cpp?view=log Regards, Jens
Can anyone one of you here post the full sanitized debug output from kio_http here ? Jens was kind enough to make a test server available to me and the debug output I get shows that the failure is immediate for me. At the very first step (type 1) with the error shown below. I want to see how many of you get the same authentication (Negoitiate) failure vs NTLM failure. NOTE: that you can enable debug output to a separate file by invoking "kdebugdialog --fullmode" from krunner and sending the "Information output" to a file of your choice. You can use a full path like /tmp/kio_http.log... kio_http(21066) HTTPProtocol::sendQuery: ============ Sending Header: kio_http(21066) HTTPProtocol::sendQuery: "GET / HTTP/1.1" kio_http(21066) HTTPProtocol::sendQuery: "Host: XXXXXXXXXXXXXXXXXXXXXX" kio_http(21066) HTTPProtocol::sendQuery: "Connection: Keep-Alive" kio_http(21066) HTTPProtocol::sendQuery: "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en_US) AppleWebKit/533.3 (KHTML, like Gecko) Konqueror/4.4 Safari/533.3" kio_http(21066) HTTPProtocol::sendQuery: "Pragma: no-cache" kio_http(21066) HTTPProtocol::sendQuery: "Cache-control: no-cache" kio_http(21066) HTTPProtocol::sendQuery: "Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8" kio_http(21066) HTTPProtocol::sendQuery: "Accept-Encoding: x-gzip, x-deflate, gzip, deflate" kio_http(21066) HTTPProtocol::sendQuery: "Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5" kio_http(21066) HTTPProtocol::sendQuery: "Accept-Language: en-US,en;q=0.9" kio_http(21066)/kio_http_debug HTTPProtocol::httpShouldCloseConnection: Keep Alive: true kio_http(21066)/kio_http_debug HTTPProtocol::httpOpenConnection: kio_http(21066)/kio_http_debug HTTPProtocol::sendQuery: sent it! kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: kio_http(21066) HTTPProtocol::readResponseHeader: ============ Received Status Response: kio_http(21066) HTTPProtocol::readResponseHeader: "HTTP/1.1 401 Unauthorized" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: -- full response: "HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Sun, 18 Apr 2010 20:46:21 GMT" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: Content-type: "text/html" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: parsing authentication request; response code = 401 kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: strongest authentication scheme offered is "Negotiate" kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: pointer to auth class is now 0x8e20b38 kio_http(21066)/kio_http_debug KHttpNegotiateAuthentication::generateResponse: found SPNEGO mech kio_http(21066)/kio_http_debug KHttpNegotiateAuthentication::generateResponse: gss_init_sec_context failed: " An unsupported mechanism was requested unknown mech-code 0 for mech unknown " kio_http(21066)/kio_http_debug HTTPProtocol::readResponseHeader: auth state: isError true needCredentials true forceKeepAlive false forceDisconnect false headerFragment ""
SVN commit 1117542 by adawit: Do not force disconnect the HTTP connection in the middle of NTLM authentication. This along with the changes committed to kdelibs/kio/misc/kntlm/kntlm.cpp should address most, if not all, NTLM authentication related bugs. A great deal of credit and thanks to Jens Peters for helping resolve this problem. BUG:184588 M +13 -12 httpauthentication.cpp WebSVN link: http://websvn.kde.org/?view=rev&revision=1117542
*** Bug 192544 has been marked as a duplicate of this bug. ***
*** Bug 138088 has been marked as a duplicate of this bug. ***
*** Bug 107384 has been marked as a duplicate of this bug. ***
*** Bug 150954 has been marked as a duplicate of this bug. ***