How do I use WYSIWYG with NTLM?

Several people have encountered problems using the Foswiki WYSIWYG editor with NTLM authentication.

There are a couple of issues at play here...

When POSTing to a sub-context of a site that IE has previously negotiated NTLM authentication with, IE will by default send a zero-content POST with a NTLM_NEGOTIATE header. From what I have read this is because IE assumes that the server will respond to the re-authentication attempt with a with a 401 Not Authorised containing a NTLM_CHALLENGE header. Should the client and server implement NTLM correctly, the client will submit the POST again, this time with the appropriate content and a NTLM_AUTH header, the server will validate it and process the POST normally.

Unfortunately mod_auth_sspi v1.0.4 and earlier does not catch the NTLM_NEGOTIATE on the existing pipelined connection and the request slips through to the keeper...ahem... cgi script, missing POST content and all. I have observed this to cause:

• oops pages with Incorrect parameters in save script
• Empty TinyMCE editor windows (ie, the loading please wait message disappears but does not get replaced with the topic content) and entries in the Apache error log about uninitialized variables within the functions that convert between Unicode and ISO character sets.
• Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.

This can be partially fixed by including the directive SSPIPerRequestAuth on for every directory authenticated using SSPI (I have found that unless you put it in every Directory section using SSPI it doesn't actually take effect anywhere). This causes 1.0.4 to revert to 1.0.3 behaviour where every request (GET, POST or otherwise) is re-athenticated. There will obviously be a non-negligible waste of time and bandwidth but it will have to do until mod_auth_sspi is fixed to detect the NTLM_NEGOTIATE. (There was a contributed patch that looks for the empty POST but IMHO this is the incorrect way of solving it).

The other change necessary (TWiki only) is to remove the TWikiTiny.request.req.setRequestHeader("Connection", "close"); from twiki_tiny.js and attach.js (already done in Foswiki). This is to solve an issue in IE involving NTLM authenticated POSTs in IE submitted using XMLHttpRequests. With the header in place, IE does all sorts of silly things like sending the NTLM_NEGOTIATE in one connection and the NTLM_AUTH in another, or simply closing the connection after the NTLM_NEGOTIATE and failing to send the POST with NTLM_AUTH at all. From what I understand for NTLM Authentication to work pipelined connections must be used due to the three-way handshake involved. . If you are getting this problem you will observe entries such as (OS 87)The parameter is incorrect. : authentication failure for "": user unknown, reason: cannot generate context in the Apache error log.

Finally a few people on the net have been suggesting solutions such as setting MaxKeepAlives to 1, setting large or small keep-alive timeouts, forcing the username returned by mod_auth_sspi to lower-case, etc. I have found that none of these are reliable. SSPIOfferBasic on and SSPIBasicPreferred on are even suggested, which I would strongly recommend against as your credentials are essentially sent cleartext.

Hope this helps (or at least prevents you from wasting as much time and frustration as I did )

-- LeeRyman - 05 Dec 2008