Apache OpenOffice (AOO) Bugzilla – Issue 104417
webdav NTLMv2 support
Last modified: 2017-05-20 10:44:29 UTC
3.1.0 provides working NTLM support (thank you), as measured against jCIFS's NtlmHttpServlet. Switching to JESPA's NtlmHttpServlet (which adds support for NTLMv2, because of Vista/IE8 switching to disallowing NTLMv1) seems to work fine with IE6-8 and Firefox on XP and Vista, but breaks OOo 3.1's NTLM. It will attempt to log in, but JESPA then logs an error server-side and throws a 403: java.io.IOException: Not a Type 1 message. at jcifs.ntlmssp.Type1Message.parse(Type1Message.java:232) at jcifs.ntlmssp.Type1Message.<init>(Type1Message.java:88) at jespa.ntlm.NtlmSecurityProvider.acceptSecContext(NtlmSecurityProvider.java:944) at jespa.http.HttpSecurityService.doAuthenticate(HttpSecurityService.java:680) at jespa.http.HttpSecurityService.doFilter(HttpSecurityService.java:772) It looks to me like the updated version of "neon" may be attempting NTLMv2, but not implementing it correctly. (If you google for this error, one possible fix involves apache forwarding REMOTE_PORT -- this happens with and without this option, and with and without apache in front of tomcat. Doesn't seem to be the same situation.) I can't tell from neon's mailing lists if they intended to have NTLMv2 or not -- there are some subversion commits related to it, at least. Also, in the 3.0 source, neon appears as a simple library and the version number was easy to determine and cross-reference; in the 3.1 source, it looks like the neon code is directly copied into OOo? Is it being maintained separately? I was trying to figure out what version 3.1 included, so I could match it against the neon changelog.
Hi Kai, can you please have a look into this (and reassign to an appropriate developer) ? Thanks, Matthias
unordained: On Windows, OOo comes with it's own copy of neon. Code gets statically linked into ucpdav1.dll. From time to time we're updating OOo's neon code. OOo 3.1 contains neon 0.28.2, with some patches applied. Our strategy is to contribute all patches back to the neon project as fast as possible. I have no idea whether neon 0.28 supports NTLMv2. I suggest that you ask the neon guys. In case neon is currently lacking support for NTLMv2 or has a bug in that area I will be happy to update OOo's copy of neon once a fix is available. BTW: Does i work with OOo 3.0.1?
Asking neon mailing list. Will reply here if I hear from them. I had previously tested 3.0.0, not 3.0.1; 3.0.0 failed NTLM entirely, with "General Internet error has occurred". TK (Tobias Krause) pointed me to issue #95310 for that issue, and it's listed as targeting 3.1.
Neon mailing list replies that NTLMv2 support is now ready for testing, for a planned 0.29.0 release. Announcement: http://lists.manyfish.co.uk/pipermail/neon/2009-September/001053.html (Is the listed contributor, 'Kai' == 'kso'? Thanks!)
>Neon mailing list replies that NTLMv2 support is now ready for testing, for a >planned 0.29.0 release. Well, it's not that easy... Neon 0.28 contains Windows-only NTLM support. Stuff is implemented using native Windows API (-> SSPI). I have no insights into the neon SSPI implementation and have no idea whether it supports v2 at all or is just buggy. As a matter of fact, the behavior you noticed is caused by the SSPI stuff, because OOo 3.1 uses the SSPI code. You should ask the submitter of the SSPI neon stuff for details. Starting with 0.29, neon has a completely new NTLM implementation that should work on all platforms, including Windows. This implementation comes with v2 support. I know this implementation "very well". ;-) Thus, starting with neon 0.29, for Windows one can choose between "SSPI" and "NTLM" at neon compile time. For OOo (starting with 3.2) we will choose SSPI for Windows, NTLM on all other platforms. Why? SSPI comes with a very important feature that is currently missing in the NTLM implementation - the ability to automatically to use the credentials of the currently logged in Windows user to authenticate with Websites (-> e.g. SharePoint). >(Is the listed contributor, 'Kai' == 'kso'? Thanks!) You're welcome. :-)
Yeah, please don't lose that auto-login functionality. As it currently stands on Windows, the user will see the username/password prompt but can just hit 'Okay' and it will still log in correctly. It's not ideal, and I'd probably prefer that it attempt Windows credentials first, then prompt if those fail, but it's better than forcing them to type in their full credentials every time. I can see it has the benefit of letting users impersonate each other if need-be (temporary admin access), and if the prompt were invisible there'd be no opportunity to catch it and switch users, but ... yeah. It's already one extra prompt for my users every time they open a document from the website they're already SSO'ed into.
unordained: You might be interested in this: http://qa.openoffice.org/issues/show_bug.cgi?id=104767
Reset the assignee to the default "issues@openoffice.apache.org".