Item5859: Plugin does not work if using NTLM

Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Applies To: Extension
Component: TinyMCEPlugin
Branches:
Reported By: TWiki:Main.LarsHaarber
Waiting For:
Last Change By: CrawfordCurrie

TinyMCE plugin does not work with NTLM

As noted on TinyMCEPluginDev several users have reported problems when using TinyMCE with NTLM authentication. The problem is that the page never loads or you are prompted for credentials which are then never accepted. (how the problem manifests itself depends on the browser used).

I too have the same problem.

TinyMCE is the default editor in TWiki 4.2 and NTLM authentication is used on many corporate intranet TWikis which means this "bug" is obviously a problem for the adoption of TWiki 4.2. Therefore I've taken the liberty of reporting this as priority "Urgent".

Sergei Klink reported on TinyMCEPluginDev that it could simply be fixed by removing

TWikiTiny.request.req.setRequestHeader("Connection", "close");

from twiki_tiny.js without much information as to why.

I've found the following links to support this:

http://forums.msdn.microsoft.com/en-US/sharepointdevelopment/thread/5561b6aa-4fc3-4114-bf23-817ccbc88959/

http://groups.google.com/group/ajaxpro/browse_thread/thread/278b4688f17641ff/4ad3cfc77899b17e?lnk=gst&q=ajax+ntlm&rnum=2#4ad3cfc77899b17e

-- TWiki:Main/LarsHaarber - 01 Aug 2008

OK, thanks Lars. I cannot test NTLM, but you can, so can you please remove that line and confirm here that it fixes the problem. When you have confirmed, then that together with the links will be enough for me and I will remove the line from the source.

-- CrawfordCurrie - 01 Aug 2008

I'm sorry for not having responded on this earlier. Holiday season I'm afraid. I've got bad news: I cannot make it work even by removing the line above. It is true that others have reported the opposite but as for me it doesn't seem to change a thing.

-- TWiki:Main.LarsHaarber - 31 Aug 2008

OK. I'm sorry, Lars, but as I said before I can't test NTLM, and I'm relying on you (and other NTLM users) to isolate this problem.

-- CrawfordCurrie - 16 Sep 2008

There are a couple of issues at play here...

When POSTing to a sub-context of a site that IE has previously negotiated NTLM authentication with, IE will by default send a zero-content POST with a NTLM_NEGOTIATE header. From what I have read this is because IE assumes that the server will respond to the re-authentication attempt with a with a "401 Not Authorised" containing a NTLM_CHALLENGE header. Should the client and server implement NTLM correctly, the client will submit the POST again, this time with the appropriate content and a NTLM_AUTH header, the server will validate it and process the POST normally.

Unfortunately mod_auth_sspi v1.0.4 and earlier does not catch the NTLM_NEGOTIATE on the existing pipelined connection and the request slips through to the keeper...ahem... cgi script, missing POST content and all. I have observed this to cause:
  1. oops pages with "Incorrect parameters in save script",
  2. Empty TinyMCE editor windows (ie, the loading please wait message disappears but does not get replaced with the topic content) and entries in the Apache error log about uninitialized variables within the functions that convert between Unicode and ISO character sets.
  3. Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.
This can be partially fixed by including the directive SSPIPerRequestAuth on for every directory authenticated using SSPI (I have found that unless you put it in every Directory section using SSPI it doesn't actually take effect anywhere). This causes 1.0.4 to revert to 1.0.3 behaviour where every request (GET, POST or otherwise) is re-athenticated. There will obviously be a non-negligible waste of time and bandwidth but it will have to do until mod_auth_sspi is fixed to detect the NTLM_NEGOTIATE. (There was a contributed patch that looks for the empty POST but IMHO this is the incorrect way of solving it).

The other change necessary is to remove the TWikiTiny.request.req.setRequestHeader("Connection", "close"); from twiki_tiny.js as previously mentioned. This is to solve an issue in IE involving NTLM authenticated POSTs in IE submitted using XMLHttpRequests. With the header in place, IE does all sorts of silly things like sending the NTLM_NEGOTIATE in one connection and the NTLM_AUTH in another, or simply closing the connection after the NTLM_NEGOTIATE and failing to send the POST with NTLM_AUTH at all. From what I understand for NTLM Authentication to work pipelined connections must be used due to the three-way handshake involved. Note that the same header must be removed from the code that is used in the upload dialog (Can't remember where it was). If you are getting this problem you will observe entries such as (OS 87)The parameter is incorrect. : authentication failure for "": user unknown, reason: cannot generate context in the Apache error log.

Finally a few people on the net have been suggesting solutions such as setting MaxKeepAlives to 1, setting large or small keep-alive timeouts, forcing the username returned by mod_auth_sspi to lower-case, etc. I have found that none of these are reliable. SSPIOfferBasic on and SSPIBasicPreferred on are even suggested, which I would strongly recommend against as your credentials are essentially sent cleartext.

Hope this helps (or at least prevents you from wasting as much time and frustration as I did wink )

Thanks Lee, that is indeed a big help. I have removed the offending setRequestHeader calls. I also created a FAQ in Support web with the guidance above, and signed your name to it.

OK, I just tried something else. I also found the "close" statement in the file

twiki_tiny_src.js

I deleted the line THERE, and it seems to work now....

-- TWiki:Main.IngoFechtel - 17 Feb 2009

Just found out that we have the same problem in attach.js (and attach_src.js) which is called when you press the attachment-button in TinyMCE. Just remove that line, and you will be fine.

-- TWiki:Main.IngoFechtel - 05 Mar 2009

Re-opened to remind me to review Ingo's findings.

-- CrawfordCurrie - 09 Mar 2009

In the 3.2.2 upgrade I changed all the XHR calls to use the TMCE API which doesn't do a close, so should be good for NTLM. However as stated I don't use it, so the question is still open. Changing this to requiring feedback from an NTLM user who can test the TMCE code that is currently committed to the trunk.

-- CrawfordCurrie - 18 Mar 2009

I may be able to test this soon. I'm setting up a new PoC and it will be a foswiki install. BTW, good to see you read my rants wink

3. Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.

-- LeeRyman - 19 Mar 2009

Okay, finally got around to installing Foswiki and testing out NTLM. Looks like the problems associated with XMLHttpRequests POSTS when using IE and NTLM no longer occur, which is great!

I am using the Foswiki-1.0.4-0-strawberry.exe install on a Windows 2003 Server VM with mod_auth_sspi-1.0.4-2.2.2.zip from http://sourceforge.net/projects/mod-auth-sspi. The appropriate LoadModule sspi_auth_module   modules\mod_auth_sspi.so was added to the top of Foswiki.conf. The following was added to the <Directory  "C:/PROGRA~1/Foswiki/Foswiki/bin/"> and <Directory  "C:/PROGRA~1/Foswiki/Foswiki/pub/"> sections...

    AuthName "MyCompany Windows Domain"
    AuthType SSPI
    SSPIAuth On
    SSPIDomain MyCompany
    SSPIAuthoritative On
    SSPIPerRequestAuth On
    Require valid-user

... AuthUserFile, AuthName and AuthBasic declarations were commented out, and the Require user declaration was changed from admin to my login in the section. {LoginManager} was set to ApacheLogin, {AllowLoginName} was checked and {PasswordManager} set to none.

Tested with IE 6.0 and Firefox 3.0.3 clients. Wireshark didn't display any issues with the requests to rest, save, upload, etc. No problems attaching files via the WYSIWYG editor popup, and no problems with saves having incorrect parameters nor errors in the Apache log. Note that I still had to use SSPIPerRequestAuth on in the directory sections within my Foswiki.conf because of mod_auth_sspi v1.0.4 failing to handle IE's renewed NTLM negotiate with a empty POST (a small conciliation).

I suggest that you can close this out. Keep up the good work guys!

-- LeeRyman - 15 Apr 2009

Thanks Lee, that's excellent news. Closing.

-- CrawfordCurrie - 15 Apr 2009

ItemTemplate edit

Summary Plugin does not work if using NTLM
ReportedBy TWiki:Main.LarsHaarber
Codebase
SVN Range TWiki-5.0.0, Sun, 27 Jul 2008, build 17148
AppliesTo Extension
Component TinyMCEPlugin
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:35f443da2c68
TargetRelease patch
ReleasedIn
Topic revision: r17 - 15 Apr 2009, CrawfordCurrie
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License