samba - Oct 2005 - mod_ntlm_winbind on Apache vs. IE6, no POST method

Hello,

I have setup mod_ntlm_winbind to provide authentication for an Apache
1.3.33 webserver running on Fedora Core 3. The authentication works,
but I have run into a problem when using Internet Explorer.

It seems that the problem might be with Internet Explorer itself, but
here is what I think is happening - the browser will not submit any
forms with a POST method on a website protected with NTLM Auth.

Everything seems to work fine when using Firefox/Mozilla, but IE6 has
a problem. Attached is the text extracted from a packet capture using
both browsers:

------------------------------------------------------------------------------
FireFox 1.0.5
POST /xxxxx/index.php HTTP/1.1
Host: xxxxxxx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050711 Firefox/1.0.5
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://xxxxx/xxxxx/index.php
Cookie: mosvisitor=1; sessioncookie=ddb9c2c8530d1ec2f1451a4b7b54d793;
JTSIJNC=c85293981579b316a017e47018ec1a5e
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
username=xxxxxx&passwd=xxxxx&option=login&Submit=Login&op2=login&lang=english&return=%2Fxxxxx%2Findex.php&message=0

------------------------------------------------------------------------------
Internet Explorer 6.0.2800.1106.xpsp2.050301-1526

POST /xxxxx/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
http://xxxxxx.com/xxxxx/index.php?option=com_registration&task=lostPassword
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET
CLR 1.1.4322)
Host: xxxxxx.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: mosvisitor=1; JTSIJNC=a3ac998c0d34c8d35500bf11db76d33d;
sessioncookie=e52c21e3860b799d6253a0d2efe2d6cc
Authorization: NTLM NTLM-HASH-HAS-BEEN-REMOVED-FROM-PACKET-CAPTURE=
------------------------------------------------------------------------------

You can see that IE6 sends content-length: 0 and includes the NTLM
hash again, whereas Firefox does not.

Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error?

Thanks for any help you can provide!
Todd Garrison

On Mon, 2005-10-03 at 14:34 -0600, Todd Garrison wrote:
> Hello,
> 
> I have setup mod_ntlm_winbind 
Firstly, I presume this is the version from lorikeet SVN?
> to provide authentication for an Apache
> 1.3.33 webserver running on Fedora Core 3. The authentication works,
> but I have run into a problem when using Internet Explorer.
> 
> It seems that the problem might be with Internet Explorer itself, but
> here is what I think is happening - the browser will not submit any
> forms with a POST method on a website protected with NTLM Auth.
> 
> Everything seems to work fine when using Firefox/Mozilla, but IE6 has
> a problem. Attached is the text extracted from a packet capture using
> both browsers:
> You can see that IE6 sends content-length: 0 and includes the NTLM
> hash again, whereas Firefox does not.
> 
> Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error?
It looks like MSIE is avoiding resubmitting the POST twice for the
multiple round trips of the NTLM exchange.   Firefox is probably still
sitting on an existing connection.

So, I think the issue might be that apache is not handling the NTLM
authentication request to the module, but we would need to see more
server-side logs and a real (uncensored, unfortunately) packet capture.

A small group of developers trying to take mod_ntlm_winbind further are
gathering, I think we need to setup a public webpage and some contact
details...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051004/bfba75cc/attachment.bin

> Firstly, I presume this is the version from lorikeet SVN?
Correct.
> So, I think the issue might be that apache is not handling the NTLM
> authentication request to the module, but we would need to see more
> server-side logs and a real (uncensored, unfortunately) packet capture.
I could get you a pcap file, okay if I send it to you directly, off-list?

Thanks!
Todd

On Mon, 2005-10-03 at 15:34 -0600, Todd Garrison wrote:
> > Firstly, I presume this is the version from lorikeet SVN?
> 
> Correct.
> 
> > So, I think the issue might be that apache is not handling the NTLM
> > authentication request to the module, but we would need to see more
> > server-side logs and a real (uncensored, unfortunately) packet
capture.
> 
> I could get you a pcap file, okay if I send it to you directly, off-list?
Sure.

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20051004/84cf9aca/attachment.bin

Hi Andrew,

The patch you commited to SVN seems to be working, but I ran into
another problem when dealing with 302 redirects, similar circumstance.
I played with the code a little and found something that seems to
work, but I probably just opened a gaping security hole? Here is a
diff from SVN . . .

Todd Garrison

Ha! Nevermind, that messes other things up . . . at least I tried.

On 10/5/05, Todd Garrison <frameloss@gmail.com>
wrote:
> Hi Andrew,
>
> The patch you commited to SVN seems to be working, but I ran into
> another problem when dealing with 302 redirects, similar circumstance.
> I played with the code a little and found something that seems to
> work, but I probably just opened a gaping security hole? Here is a
> diff from SVN . . .
>
> Todd Garrison
>
>
>

On Mon, Oct 03, 2005 at 02:34:22PM -0600, Todd Garrison
wrote:
> I have setup mod_ntlm_winbind to provide authentication for an Apache
> 1.3.33 webserver running on Fedora Core 3. The authentication works,
> but I have run into a problem when using Internet Explorer.
> 
> It seems that the problem might be with Internet Explorer itself, but
> here is what I think is happening - the browser will not submit any
> forms with a POST method on a website protected with NTLM Auth.
> 
> Everything seems to work fine when using Firefox/Mozilla, but IE6 has
> a problem. Attached is the text extracted from a packet capture using
> both browsers:
> You can see that IE6 sends content-length: 0 and includes the NTLM
> hash again, whereas Firefox does not.
> 
> Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error?
You never specified if you were using HTTP or HTTPS, but if you're using
doing this over HTTPS you may find this link helpful:

http://telanis.cns.ualberta.ca/index.txt

Apparently there's a bug in IE6 that occurs only with POST requests over
HTTPS when using keep-alive which is required for NTLM authentication.


Ed Plese

Is the mod_ntlm_winbind already apache 2.XX ready ??
or is it still written for the 1.3.XX version ?

Collen

Andrew Bartlett wrote:
> On Mon, 2005-10-03 at 14:34 -0600, Todd Garrison wrote:
>> Hello,
>>
>> I have setup mod_ntlm_winbind 
> 
> Firstly, I presume this is the version from lorikeet SVN?
> 
>> to provide authentication for an Apache
>> 1.3.33 webserver running on Fedora Core 3. The authentication works,
>> but I have run into a problem when using Internet Explorer.
>>
>> It seems that the problem might be with Internet Explorer itself, but
>> here is what I think is happening - the browser will not submit any
>> forms with a POST method on a website protected with NTLM Auth.
>>
>> Everything seems to work fine when using Firefox/Mozilla, but IE6 has
>> a problem. Attached is the text extracted from a packet capture using
>> both browsers:
> 
>> You can see that IE6 sends content-length: 0 and includes the NTLM
>> hash again, whereas Firefox does not.
>>
>> Is this a bug in mod_ntlm_winbind, IE6, or just a configuration error?
> 
> It looks like MSIE is avoiding resubmitting the POST twice for the
> multiple round trips of the NTLM exchange.   Firefox is probably still
> sitting on an existing connection.
> 
> So, I think the issue might be that apache is not handling the NTLM
> authentication request to the module, but we would need to see more
> server-side logs and a real (uncensored, unfortunately) packet capture.
> 
> A small group of developers trying to take mod_ntlm_winbind further are
> gathering, I think we need to setup a public webpage and some contact
> details...
> 
> Andrew Bartlett
> 
>