How do I use WYSIWYG with NTLM?
Several people have encountered problems using the Foswiki WYSIWYG editor with NTLM authentication
There are a couple of issues at play here...
When POSTing to a sub-context of a site that IE has previously negotiated NTLM authentication with, IE will by default send a zero-content POST with a
header. From what I have read this is because IE assumes that the server will respond to the re-authentication attempt with a with a
401 Not Authorised
header. Should the client and server implement NTLM correctly, the client will submit the POST again, this time with the appropriate content and a
header, the server will validate it and process the POST normally.
v1.0.4 and earlier does not catch the
on the existing pipelined connection and the request slips through to the keeper...ahem... cgi script, missing POST content and all. I have observed this to cause:
This can be partially fixed by
oops pages with
Incorrect parameters in save script
- Empty TinyMCE editor windows (ie, the loading please wait message disappears but does not get replaced with the topic content) and entries in the Apache error log about uninitialized variables within the functions that convert between Unicode and ISO character sets.
- Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.
including the directive
for every directory authenticated using SSPI (I have found that unless you put it in every Directory section using SSPI it doesn't actually take effect anywhere). This causes 1.0.4 to revert to 1.0.3 behaviour where every request (GET, POST or otherwise) is re-athenticated. There will obviously be a non-negligible waste of time and bandwidth but it will have to do until
is fixed to detect the
. (There was a contributed patch that looks for the empty POST but IMHO this is the incorrect way of solving it).
The other change necessary (TWiki only)
is to remove the
(already done in Foswiki). This is to solve an issue in IE involving NTLM authenticated POSTs in IE submitted using XMLHttpRequests. With the header in place, IE does all sorts of silly things like sending the NTLM_NEGOTIATE in one connection and the NTLM_AUTH in another, or simply closing the connection after the NTLM_NEGOTIATE and failing to send the POST with NTLM_AUTH at all. From what I understand for NTLM Authentication to work pipelined connections must
be used due to the three-way handshake involved. . If you are getting this problem you will observe entries such as
(OS 87)The parameter is incorrect. : authentication failure for "": user unknown, reason: cannot generate context
in the Apache error log.
Finally a few people on the net have been suggesting solutions such as setting
to 1, setting large or small keep-alive timeouts, forcing the username returned by
to lower-case, etc. I have found that none of these are reliable.
are even suggested, which I would strongly recommend against as your credentials are essentially sent cleartext.
Hope this helps (or at least prevents you from wasting as much time and frustration as I did
- 05 Dec 2008