Issue 104417 - webdav NTLMv2 support
Summary: webdav NTLMv2 support
Status: UNCONFIRMED
Alias: None
Product: ucb
Classification: Code
Component: code (show other issues)
Version: OOo 3.1
Hardware: Unknown All
: P4 Trivial (vote)
Target Milestone: ---
Assignee: AOO issues mailing list
QA Contact:
URL:
Keywords: needhelp
Depends on:
Blocks:
 
Reported: 2009-08-21 19:09 UTC by unordained
Modified: 2017-05-20 10:44 UTC (History)
2 users (show)

See Also:
Issue Type: ENHANCEMENT
Latest Confirmation in: ---
Developer Difficulty: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description unordained 2009-08-21 19:09:07 UTC 
3.1.0 provides working NTLM support (thank you), as measured against jCIFS's
NtlmHttpServlet. Switching to JESPA's NtlmHttpServlet (which adds support for
NTLMv2, because of Vista/IE8 switching to disallowing NTLMv1) seems to work fine
with IE6-8 and Firefox on XP and Vista, but breaks OOo 3.1's NTLM. It will
attempt to log in, but JESPA then logs an error server-side and throws a 403: 

java.io.IOException: Not a Type 1 message.
 at jcifs.ntlmssp.Type1Message.parse(Type1Message.java:232)
 at jcifs.ntlmssp.Type1Message.<init>(Type1Message.java:88)
 at jespa.ntlm.NtlmSecurityProvider.acceptSecContext(NtlmSecurityProvider.java:944)
 at jespa.http.HttpSecurityService.doAuthenticate(HttpSecurityService.java:680)
 at jespa.http.HttpSecurityService.doFilter(HttpSecurityService.java:772)

It looks to me like the updated version of "neon" may be attempting NTLMv2, but
not implementing it correctly. (If you google for this error, one possible fix
involves apache forwarding REMOTE_PORT -- this happens with and without this
option, and with and without apache in front of tomcat. Doesn't seem to be the
same situation.) 

I can't tell from neon's mailing lists if they intended to have NTLMv2 or not --
there are some subversion commits related to it, at least. 

Also, in the 3.0 source, neon appears as a simple library and the version number
was easy to determine and cross-reference; in the 3.1 source, it looks like the
neon code is directly copied into OOo? Is it being maintained separately? I was
trying to figure out what version 3.1 included, so I could match it against the
neon changelog.
Comment 1 matthias.huetsch 2009-08-25 14:59:03 UTC 
Hi Kai,

can you please have a look into this (and reassign to an appropriate developer) ?

Thanks,
Matthias
Comment 2 kai.sommerfeld 2009-08-26 08:44:36 UTC 
unordained: On Windows, OOo comes with it's own copy of neon. Code gets
statically linked into ucpdav1.dll. From time to time we're updating OOo's neon
code. OOo 3.1 contains neon 0.28.2, with some patches applied.  Our strategy is
to contribute all patches back to the neon project as fast as possible.

I have no idea whether neon 0.28 supports NTLMv2. I suggest that you ask the
neon guys. In case neon is currently lacking support for NTLMv2 or has a bug in
that area I will be happy to update OOo's copy of neon once a fix is available.

BTW: Does i work with OOo 3.0.1?
Comment 3 unordained 2009-08-26 17:12:41 UTC 
Asking neon mailing list. Will reply here if I hear from them.

I had previously tested 3.0.0, not 3.0.1; 3.0.0 failed NTLM entirely, with
"General Internet error has occurred". TK (Tobias Krause) pointed me to issue
#95310 for that issue, and it's listed as targeting 3.1.
Comment 4 unordained 2009-09-03 04:39:35 UTC 
Neon mailing list replies that NTLMv2 support is now ready for testing, for a
planned 0.29.0 release.

Announcement:
http://lists.manyfish.co.uk/pipermail/neon/2009-September/001053.html

(Is the listed contributor, 'Kai' == 'kso'? Thanks!)
Comment 5 kai.sommerfeld 2009-09-03 08:23:21 UTC 
>Neon mailing list replies that NTLMv2 support is now ready for testing, for a
>planned 0.29.0 release.

 Well, it's not that easy... 

Neon 0.28 contains Windows-only NTLM support. Stuff is implemented using native
Windows API (-> SSPI). I have no insights into the neon SSPI implementation and
have no idea whether it supports v2 at all or is just buggy. As a matter of
fact, the behavior you noticed is caused by the SSPI stuff, because OOo 3.1 uses
the SSPI code. You should ask the submitter of the SSPI neon stuff for details.

Starting with 0.29, neon has a completely new NTLM implementation that should
work on all platforms, including Windows. This implementation comes with v2
support. I know this implementation "very well".  ;-)

Thus, starting with neon 0.29, for Windows one can choose between "SSPI" and
"NTLM" at neon compile time. For OOo (starting with 3.2) we will choose SSPI for
Windows, NTLM on all other platforms. Why? SSPI comes with a very important
feature that is currently missing in the NTLM implementation - the ability to
automatically to use the credentials of the currently logged in Windows user to
authenticate with Websites (-> e.g. SharePoint).

>(Is the listed contributor, 'Kai' == 'kso'? Thanks!)

 You're welcome. :-)
Comment 6 unordained 2009-09-03 23:26:42 UTC 
Yeah, please don't lose that auto-login functionality. As it currently stands on
Windows, the user will see the username/password prompt but can just hit 'Okay'
and it will still log in correctly. It's not ideal, and I'd probably prefer that
it attempt Windows credentials first, then prompt if those fail, but it's better
than forcing them to type in their full credentials every time. I can see it has
the benefit of letting users impersonate each other if need-be (temporary admin
access), and if the prompt were invisible there'd be no opportunity to catch it
and switch users, but ... yeah. It's already one extra prompt for my users every
time they open a document from the website they're already SSO'ed into.
Comment 7 kai.sommerfeld 2009-09-04 08:31:19 UTC 
unordained: You might be interested in this:
http://qa.openoffice.org/issues/show_bug.cgi?id=104767
Comment 8 Marcus 2017-05-20 10:44:29 UTC 
Reset the assignee to the default "issues@openoffice.apache.org".