NTLM Authentication Available on Windows via SSPI

Monday March 31st, 2003

dave writes: "A patch for bug 159015 has recently landed. It adds NTLM authentication to Mozilla on Windows — very much needed by people using Mozilla to access corporate intranets. I think it deserves some publicity as it is a long awaited RFE and needs testing. Unfortunately this is Windows only." The reason it's Windows only is because the implementation uses Windows' own SSPI API.

#1 Cross Platform version?

by WillyWonka

Monday March 31st, 2003 1:42 PM

Is there any work underway to get a cross platform implementation working?

Not that I need it, but I'm just interested in finding out if the majority of the people who want it, use windows.

#3 Re: Cross Platform version?

by wolruf

Monday March 31st, 2003 2:58 PM

see bug <a href="" title="Implement windows authentication on Unix using Samba's winbindd">171500</a> too.

#2 Re: Cross Platform version?

by schapel

Monday March 31st, 2003 2:11 PM


The majority of people who want NTLM certainly do use Windows, but I'm sure there are plenty of Mac and Linux users that want NTLM, too.

#4 SSPI?

by SomeGuy

Monday March 31st, 2003 4:49 PM

Please tell me I am wrong, but isn't SSPI (Winsspi.dll I assume) actually part of Microsoft Internet Explorer? This DLL does not appear to be with the original Windows 95 and seems to get installed when installing IE. Looking around it does also seem to get installed with Office 97 along with wininet.dll and a few other IE 3.0 DLLS although the entire IE browser is not installed. Perhaps a better question is is this DLL redistributeable without IE since it is not included with Windows 95? Not that I am really concerned about Windows 95, I am just wondering.

A cross platform version is absolutely still needed. But at least using this DLL should ensure that if MS changes NTLM that Mozilla for Windows would still be able to work. I would imagine that a cross platform version might not be able to use the current NT login session like IE does (no prompting for a proxy password) Does Mozilla with this SSPI implementation do that? At any rate I do see the need for both.

#13 Re: SSPI?

by darinwf

Tuesday April 1st, 2003 12:19 PM

> (Winsspi.dll I assume)

security.dll ... and we dynamically load it. AFAIK it is available on most windows systems.

> use the current NT login session like IE does (no prompting for a proxy password)

mozilla currently will not automatically send your default NT logon because we felt that it is a bit of a security risk since any website can issue a NTLM challenge. IE6 happily sends your default logon to any webserver that asks for it. granted it only sends a hash of your password, but NTLM uses a relatively weak hashing algorithm (MD4), so this is not exactly a good thing. in the future we may alter mozilla to automatically send your default logon to proxy servers, but we would have to be very careful to ensure that we only do this when we know we are talking to a proxy server that the user configured.

#5 1.4 alpha

by mlippert

Monday March 31st, 2003 10:08 PM

So this means it will be in the 1.4 alpha release for Windows?

#6 Re: why God why?!<RANT>

by totalxsive

Tuesday April 1st, 2003 4:01 AM

No, the branch was frozen for 1.4 alpha last week. Any additions since then will have to wait for 1.4 beta, AFAIK.

#7 The bug is fixed

by jsoderba

Tuesday April 1st, 2003 8:04 AM

There is no branch for alpha and beta releases like there are for milestone releases, checkins simply require an extra level of approval. This patch was approved by asa, as you can see in comment 45 on the bug page.

#8 Has anyone tried this?

by djg

Tuesday April 1st, 2003 9:07 AM

I am testing this out now but no luck so far

This is what Im doing... username is bob, domain is US

when i go to my ntlm site I get a prompt: Enter Username and password for "" at <url>

In user name I have tried USbob and bobUS and then my password in the password field

after enter, i just get the same dialogue back. any ideas?

#9 Has anyone tried this?

by djg

Tuesday April 1st, 2003 9:07 AM

aghh...stripped out my '\'s should be a backslash between bob and US

#10 Re: Has anyone tried this?

by djg

Tuesday April 1st, 2003 9:12 AM

OK, I think the issue is related to the fact that the prompt dialogue says: Enter Username and password for "" at

there should be stuff between the "" - Any one know what this indicates?

#11 no, but please let us know

by mlippert

Tuesday April 1st, 2003 9:29 AM

Sorry, I haven't tried this yet. But I am really interested in what you find out. So if you get more info, please post an update.

Thanks, Mike

#12 Re: no, but please let us know

by djg

Tuesday April 1st, 2003 11:02 AM

I got it to work on a different ntlm site...hmmm

#14 Re: Has anyone tried this?

by juan

Thursday April 3rd, 2003 3:43 PM

Curious, can you try US\\bob for your username? I think that's in bugzilla as how you have to do it.

#16 Re: Re: Has anyone tried this?

by mishin

Saturday June 21st, 2003 1:08 AM

i try this but it does not work.. i want this feature..


by umhangj

Wednesday April 9th, 2003 5:26 AM

this patch works fine for us ... great!!. we are behind a proxy --squid with ntlm-authentication -- it would be nice if mozilla could send default_logon_automatically after getting a Proxy Authentication Required status code back from the proxy.