MozillaZine

NTLM Authentication Available on Windows via SSPI

Monday March 31st, 2003

dave writes: "A patch for bug 159015 has recently landed. It adds NTLM authentication to Mozilla on Windows — very much needed by people using Mozilla to access corporate intranets. I think it deserves some publicity as it is a long awaited RFE and needs testing. Unfortunately this is Windows only." The reason it's Windows only is because the implementation uses Windows' own SSPI API.


#1 Cross Platform version?

by WillyWonka

Monday March 31st, 2003 1:42 PM

Reply to this message

Is there any work underway to get a cross platform implementation working?

Not that I need it, but I'm just interested in finding out if the majority of the people who want it, use windows.

#3 Re: Cross Platform version?

by wolruf

Monday March 31st, 2003 2:58 PM

Reply to this message

see bug <a href="<http://bugzilla.mozilla.org/show_bug.cgi?id=171500>" title="Implement windows authentication on Unix using Samba's winbindd">171500</a> too.

#2 Re: Cross Platform version?

by schapel

Monday March 31st, 2003 2:11 PM

Reply to this message

Yes: <http://bugzilla.mozilla.org/show_bug.cgi?id=23679>

The majority of people who want NTLM certainly do use Windows, but I'm sure there are plenty of Mac and Linux users that want NTLM, too.

#4 SSPI?

by SomeGuy

Monday March 31st, 2003 4:49 PM

Reply to this message

Please tell me I am wrong, but isn't SSPI (Winsspi.dll I assume) actually part of Microsoft Internet Explorer? This DLL does not appear to be with the original Windows 95 and seems to get installed when installing IE. Looking around it does also seem to get installed with Office 97 along with wininet.dll and a few other IE 3.0 DLLS although the entire IE browser is not installed. Perhaps a better question is is this DLL redistributeable without IE since it is not included with Windows 95? Not that I am really concerned about Windows 95, I am just wondering.

A cross platform version is absolutely still needed. But at least using this DLL should ensure that if MS changes NTLM that Mozilla for Windows would still be able to work. I would imagine that a cross platform version might not be able to use the current NT login session like IE does (no prompting for a proxy password) Does Mozilla with this SSPI implementation do that? At any rate I do see the need for both.

#13 Re: SSPI?

by darinwf

Tuesday April 1st, 2003 12:19 PM

Reply to this message

> (Winsspi.dll I assume)

security.dll ... and we dynamically load it. AFAIK it is available on most windows systems.

> use the current NT login session like IE does (no prompting for a proxy password)

mozilla currently will not automatically send your default NT logon because we felt that it is a bit of a security risk since any website can issue a NTLM challenge. IE6 happily sends your default logon to any webserver that asks for it. granted it only sends a hash of your password, but NTLM uses a relatively weak hashing algorithm (MD4), so this is not exactly a good thing. in the future we may alter mozilla to automatically send your default logon to proxy servers, but we would have to be very careful to ensure that we only do this when we know we are talking to a proxy server that the user configured.

#5 1.4 alpha

by mlippert <mlippert255@yahoo.com>

Monday March 31st, 2003 10:08 PM

Reply to this message

So this means it will be in the 1.4 alpha release for Windows?

#6 Re: why God why?!<RANT>

by totalxsive

Tuesday April 1st, 2003 4:01 AM

Reply to this message

No, the branch was frozen for 1.4 alpha last week. Any additions since then will have to wait for 1.4 beta, AFAIK.

#7 The bug is fixed

by jsoderba

Tuesday April 1st, 2003 8:04 AM

Reply to this message

There is no branch for alpha and beta releases like there are for milestone releases, checkins simply require an extra level of approval. This patch was approved by asa, as you can see in comment 45 on the bug page.

#8 Has anyone tried this?

by djg

Tuesday April 1st, 2003 9:07 AM

Reply to this message

I am testing this out now but no luck so far

This is what Im doing... username is bob, domain is US

when i go to my ntlm site I get a prompt: Enter Username and password for "" at <url>

In user name I have tried USbob and bobUS and then my password in the password field

after enter, i just get the same dialogue back. any ideas?

#9 Has anyone tried this?

by djg

Tuesday April 1st, 2003 9:07 AM

Reply to this message

aghh...stripped out my '\'s should be a backslash between bob and US

#10 Re: Has anyone tried this?

by djg

Tuesday April 1st, 2003 9:12 AM

Reply to this message

OK, I think the issue is related to the fact that the prompt dialogue says: Enter Username and password for "" at example.mysite.com

there should be stuff between the "" - Any one know what this indicates?

#11 no, but please let us know

by mlippert <mlippert255@yahoo.com>

Tuesday April 1st, 2003 9:29 AM

Reply to this message

Sorry, I haven't tried this yet. But I am really interested in what you find out. So if you get more info, please post an update.

Thanks, Mike

#12 Re: no, but please let us know

by djg

Tuesday April 1st, 2003 11:02 AM

Reply to this message

I got it to work on a different ntlm site...hmmm

#14 Re: Has anyone tried this?

by juan

Thursday April 3rd, 2003 3:43 PM

Reply to this message

Curious, can you try US\\bob for your username? I think that's in bugzilla as how you have to do it.

#16 Re: Re: Has anyone tried this?

by mishin

Saturday June 21st, 2003 1:08 AM

Reply to this message

i try this but it does not work.. i want this feature..

#15 TRY_DEFAULT_LOGON_AUTOMATICALLY for Proxy Authenti

by umhangj

Wednesday April 9th, 2003 5:26 AM

Reply to this message

this patch works fine for us ... great!!. we are behind a proxy --squid with ntlm-authentication -- it would be nice if mozilla could send default_logon_automatically after getting a Proxy Authentication Required status code back from the proxy.