Item5859: Plugin does not work if using NTLM
TinyMCE plugin does not work with NTLM
As noted on TinyMCEPluginDev
several users have reported problems when using TinyMCE with NTLM authentication. The problem is that the page never loads or you are prompted for credentials which are then never accepted. (how the problem manifests itself depends on the browser used).
I too have the same problem.
TinyMCE is the default editor in TWiki 4.2 and NTLM authentication is used on many corporate intranet TWikis which means this "bug" is obviously a problem for the adoption of TWiki 4.2. Therefore I've taken the liberty of reporting this as priority "Urgent".
reported on TinyMCEPluginDev
that it could simply be fixed by removing
without much information as to why.
I've found the following links to support this:
- 01 Aug 2008
OK, thanks Lars. I cannot test NTLM, but you can, so can you please remove that line and confirm here that it fixes the problem. When you have confirmed, then that together with the links will be enough for me and I will remove the line from the source.
- 01 Aug 2008
I'm sorry for not having responded on this earlier. Holiday season I'm afraid. I've got bad news: I cannot make it work even by removing the line above. It is true that others have reported the opposite but as for me it doesn't seem to change a thing.
- 31 Aug 2008
OK. I'm sorry, Lars, but as I said before I can't test NTLM, and I'm relying on you (and other NTLM users) to isolate this problem.
- 16 Sep 2008
There are a couple of issues at play here...
When POSTing to a sub-context of a site that IE has previously negotiated NTLM authentication with, IE will by default send a zero-content POST with a
header. From what I have read this is because IE assumes that the server will respond to the re-authentication attempt with a with a "401 Not Authorised" containing a
header. Should the client and server implement NTLM correctly, the client will submit the POST again, this time with the appropriate content and a
header, the server will validate it and process the POST normally.
Unfortunately mod_auth_sspi v1.0.4 and earlier does not catch the
on the existing pipelined connection and the request slips through to the keeper...ahem... cgi script, missing POST content and all. I have observed this to cause:
- oops pages with "Incorrect parameters in save script",
- Empty TinyMCE editor windows (ie, the loading please wait message disappears but does not get replaced with the topic content) and entries in the Apache error log about uninitialized variables within the functions that convert between Unicode and ISO character sets.
- Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.
This can be partially fixed by including the directive
for every directory authenticated using SSPI (I have found that unless you put it in every Directory section using SSPI it doesn't actually take effect anywhere). This causes 1.0.4 to revert to 1.0.3 behaviour where every request (GET, POST or otherwise) is re-athenticated. There will obviously be a non-negligible waste of time and bandwidth but it will have to do until mod_auth_sspi is fixed to detect the
. (There was a contributed patch that looks for the empty POST but IMHO this is the incorrect way of solving it).
The other change necessary is to remove the
from twiki_tiny.js as previously mentioned. This is to solve an issue in IE involving NTLM authenticated POSTs in IE submitted using XMLHttpRequests
. With the header in place, IE does all sorts of silly things like sending the NTLM_NEGOTIATE in one connection and the NTLM_AUTH in another, or simply closing the connection after the NTLM_NEGOTIATE and failing to send the POST with NTLM_AUTH at all. From what I understand for NTLM Authentication to work pipelined connections must
be used due to the three-way handshake involved. Note that the same header must be removed from the code that is used in the upload dialog (Can't remember where it was). If you are getting this problem you will observe entries such as
(OS 87)The parameter is incorrect. : authentication failure for "": user unknown, reason: cannot generate context
in the Apache error log.
Finally a few people on the net have been suggesting solutions such as setting MaxKeepAlives
to 1, setting large or small keep-alive timeouts, forcing the username returned by mod_auth_sspi to lower-case, etc. I have found that none of these are reliable.
are even suggested, which I would strongly recommend against as your credentials are essentially sent cleartext.
Hope this helps (or at least prevents you from wasting as much time and frustration as I did
Thanks Lee, that is indeed a big help. I have removed the offending setRequestHeader calls. I also created a FAQ
in Support web with the guidance above, and signed your name to it.
OK, I just tried something else. I also found the "close" statement in the file
I deleted the line THERE, and it seems to work now....
- 17 Feb 2009
Just found out that we have the same problem in attach.js (and attach_src.js) which is called when you press the attachment-button in TinyMCE
. Just remove that line, and you will be fine.
- 05 Mar 2009
Re-opened to remind me to review Ingo's findings.
- 09 Mar 2009
In the 3.2.2 upgrade I changed all the XHR calls to use the TMCE API which doesn't do a close, so should be good for NTLM. However as stated I don't use it, so the question is still open. Changing this to requiring feedback from an NTLM user who can test the TMCE code that is currently committed to the trunk.
- 18 Mar 2009
I may be able to test this soon. I'm setting up a new PoC
and it will be a foswiki install.
BTW, good to see you read my rants
3. Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.
- 19 Mar 2009
Okay, finally got around to installing Foswiki and testing out NTLM. Looks like the problems associated with XMLHttpRequests
POSTS when using IE and NTLM no longer occur, which is great!
I am using the
install on a Windows 2003 Server VM with
. The appropriate
LoadModule sspi_auth_module modules\mod_auth_sspi.so
was added to the top of
. The following was added to the
AuthName "MyCompany Windows Domain"
declarations were commented out, and the
declaration was changed from
to my login in the
was set to
was checked and
Tested with IE 6.0 and Firefox 3.0.3 clients. Wireshark didn't display any issues with the requests to
, etc. No problems attaching files via the WYSIWYG editor popup, and no problems with saves having incorrect parameters nor errors in the Apache log. Note that I still had to use
in the directory sections within my
v1.0.4 failing to handle IE's renewed NTLM negotiate with a empty POST (a small conciliation).
I suggest that you can close this out. Keep up the good work guys!
- 15 Apr 2009
Thanks Lee, that's excellent news. Closing.
- 15 Apr 2009