NTLM Authentication Available on Windows via SSPI
Monday March 31st, 2003
dave writes: "A patch for bug 159015 has recently landed. It adds NTLM authentication to Mozilla on Windows — very much needed by people using Mozilla to access corporate intranets. I think it deserves some publicity as it is a long awaited RFE and needs testing. Unfortunately this is Windows only." The reason it's Windows only is because the implementation uses Windows' own SSPI API.
Is there any work underway to get a cross platform implementation working?
Not that I need it, but I'm just interested in finding out if the majority of the people who want it, use windows.
see bug <a href="<http://bugzilla.mozilla.org/show_bug.cgi?id=171500>" title="Implement windows authentication on Unix using Samba's winbindd">171500</a> too.
The majority of people who want NTLM certainly do use Windows, but I'm sure there are plenty of Mac and Linux users that want NTLM, too.
Please tell me I am wrong, but isn't SSPI (Winsspi.dll I assume) actually part of Microsoft Internet Explorer? This DLL does not appear to be with the original Windows 95 and seems to get installed when installing IE. Looking around it does also seem to get installed with Office 97 along with wininet.dll and a few other IE 3.0 DLLS although the entire IE browser is not installed. Perhaps a better question is is this DLL redistributeable without IE since it is not included with Windows 95? Not that I am really concerned about Windows 95, I am just wondering.
A cross platform version is absolutely still needed. But at least using this DLL should ensure that if MS changes NTLM that Mozilla for Windows would still be able to work. I would imagine that a cross platform version might not be able to use the current NT login session like IE does (no prompting for a proxy password) Does Mozilla with this SSPI implementation do that? At any rate I do see the need for both.
> (Winsspi.dll I assume)
security.dll ... and we dynamically load it. AFAIK it is available on most windows systems.
> use the current NT login session like IE does (no prompting for a proxy password)
mozilla currently will not automatically send your default NT logon because we felt that it is a bit of a security risk since any website can issue a NTLM challenge. IE6 happily sends your default logon to any webserver that asks for it. granted it only sends a hash of your password, but NTLM uses a relatively weak hashing algorithm (MD4), so this is not exactly a good thing. in the future we may alter mozilla to automatically send your default logon to proxy servers, but we would have to be very careful to ensure that we only do this when we know we are talking to a proxy server that the user configured.
#5 1.4 alpha
by mlippert <firstname.lastname@example.org>
Monday March 31st, 2003 10:08 PM
So this means it will be in the 1.4 alpha release for Windows?
No, the branch was frozen for 1.4 alpha last week. Any additions since then will have to wait for 1.4 beta, AFAIK.
There is no branch for alpha and beta releases like there are for milestone releases, checkins simply require an extra level of approval. This patch was approved by asa, as you can see in comment 45 on the bug page.
I am testing this out now but no luck so far
This is what Im doing... username is bob, domain is US
when i go to my ntlm site I get a prompt: Enter Username and password for "" at <url>
In user name I have tried USbob and bobUS and then my password in the password field
after enter, i just get the same dialogue back. any ideas?
aghh...stripped out my '\'s should be a backslash between bob and US
OK, I think the issue is related to the fact that the prompt dialogue says: Enter Username and password for "" at example.mysite.com
there should be stuff between the "" - Any one know what this indicates?
#11 no, but please let us know
by mlippert <email@example.com>
Tuesday April 1st, 2003 9:29 AM
Sorry, I haven't tried this yet. But I am really interested in what you find out. So if you get more info, please post an update.
Curious, can you try US\\bob for your username? I think that's in bugzilla as how you have to do it.
#15 TRY_DEFAULT_LOGON_AUTOMATICALLY for Proxy Authenti
Wednesday April 9th, 2003 5:26 AM
this patch works fine for us ... great!!. we are behind a proxy --squid with ntlm-authentication -- it would be nice if mozilla could send default_logon_automatically after getting a Proxy Authentication Required status code back from the proxy.