 |
|
You are here: Foswiki>Tasks Web>TinyMCEPlugin>Item5859 (15 Apr 2009, CrawfordCurrie)Edit Attach
Item5859: Plugin does not work if using NTLM
Priority: Urgent
Current State: Closed
Released In:
Target Release: patch
Current State: Closed
Released In:
Target Release: patch
TinyMCE plugin does not work with NTLM
As noted on TinyMCEPluginDev several users have reported problems when using TinyMCE with NTLM authentication. The problem is that the page never loads or you are prompted for credentials which are then never accepted. (how the problem manifests itself depends on the browser used). I too have the same problem. TinyMCE is the default editor in TWiki 4.2 and NTLM authentication is used on many corporate intranet TWikis which means this "bug" is obviously a problem for the adoption of TWiki 4.2. Therefore I've taken the liberty of reporting this as priority "Urgent". Sergei Klink reported on TinyMCEPluginDev that it could simply be fixed by removingTWikiTiny.request.req.setRequestHeader("Connection", "close");
from twiki_tiny.js without much information as to why.
I've found the following links to support this:
http://forums.msdn.microsoft.com/en-US/sharepointdevelopment/thread/5561b6aa-4fc3-4114-bf23-817ccbc88959/
http://groups.google.com/group/ajaxpro/browse_thread/thread/278b4688f17641ff/4ad3cfc77899b17e?lnk=gst&q=ajax+ntlm&rnum=2#4ad3cfc77899b17e
-- TWiki:Main/LarsHaarber - 01 Aug 2008
OK, thanks Lars. I cannot test NTLM, but you can, so can you please remove that line and confirm here that it fixes the problem. When you have confirmed, then that together with the links will be enough for me and I will remove the line from the source.
-- CrawfordCurrie - 01 Aug 2008
I'm sorry for not having responded on this earlier. Holiday season I'm afraid. I've got bad news: I cannot make it work even by removing the line above. It is true that others have reported the opposite but as for me it doesn't seem to change a thing.
-- TWiki:Main.LarsHaarber - 31 Aug 2008
OK. I'm sorry, Lars, but as I said before I can't test NTLM, and I'm relying on you (and other NTLM users) to isolate this problem.
-- CrawfordCurrie - 16 Sep 2008
There are a couple of issues at play here...
When POSTing to a sub-context of a site that IE has previously negotiated NTLM authentication with, IE will by default send a zero-content POST with a NTLM_NEGOTIATE header. From what I have read this is because IE assumes that the server will respond to the re-authentication attempt with a with a "401 Not Authorised" containing a NTLM_CHALLENGE header. Should the client and server implement NTLM correctly, the client will submit the POST again, this time with the appropriate content and a NTLM_AUTH header, the server will validate it and process the POST normally.
Unfortunately mod_auth_sspi v1.0.4 and earlier does not catch the NTLM_NEGOTIATE on the existing pipelined connection and the request slips through to the keeper...ahem... cgi script, missing POST content and all. I have observed this to cause: - oops pages with "Incorrect parameters in save script",
- Empty TinyMCE editor windows (ie, the loading please wait message disappears but does not get replaced with the topic content) and entries in the Apache error log about uninitialized variables within the functions that convert between Unicode and ISO character sets.
- Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.
SSPIPerRequestAuth on for every directory authenticated using SSPI (I have found that unless you put it in every Directory section using SSPI it doesn't actually take effect anywhere). This causes 1.0.4 to revert to 1.0.3 behaviour where every request (GET, POST or otherwise) is re-athenticated. There will obviously be a non-negligible waste of time and bandwidth but it will have to do until mod_auth_sspi is fixed to detect the NTLM_NEGOTIATE. (There was a contributed patch that looks for the empty POST but IMHO this is the incorrect way of solving it).
The other change necessary is to remove the TWikiTiny.request.req.setRequestHeader("Connection", "close"); from twiki_tiny.js as previously mentioned. This is to solve an issue in IE involving NTLM authenticated POSTs in IE submitted using XMLHttpRequests. With the header in place, IE does all sorts of silly things like sending the NTLM_NEGOTIATE in one connection and the NTLM_AUTH in another, or simply closing the connection after the NTLM_NEGOTIATE and failing to send the POST with NTLM_AUTH at all. From what I understand for NTLM Authentication to work pipelined connections must be used due to the three-way handshake involved. Note that the same header must be removed from the code that is used in the upload dialog (Can't remember where it was). If you are getting this problem you will observe entries such as (OS 87)The parameter is incorrect. : authentication failure for "": user unknown, reason: cannot generate context in the Apache error log.
Finally a few people on the net have been suggesting solutions such as setting MaxKeepAlives to 1, setting large or small keep-alive timeouts, forcing the username returned by mod_auth_sspi to lower-case, etc. I have found that none of these are reliable. SSPIOfferBasic on and SSPIBasicPreferred on are even suggested, which I would strongly recommend against as your credentials are essentially sent cleartext.
Hope this helps (or at least prevents you from wasting as much time and frustration as I did 
)
- LeeRyman - 05 Dec 2008
- CrawfordCurrie - 06 Dec 2008
3. Upload function in TinyMCE editor either failing to upload, or failing to update the link combo box.-- LeeRyman - 19 Mar 2009 Okay, finally got around to installing Foswiki and testing out NTLM. Looks like the problems associated with XMLHttpRequests POSTS when using IE and NTLM no longer occur, which is great! I am using the
Foswiki-1.0.4-0-strawberry.exe install on a Windows 2003 Server VM with mod_auth_sspi-1.0.4-2.2.2.zip from http://sourceforge.net/projects/mod-auth-sspi. The appropriate LoadModule sspi_auth_module modules\mod_auth_sspi.so was added to the top of Foswiki.conf. The following was added to the <Directory "C:/PROGRA~1/Foswiki/Foswiki/bin/"> and <Directory "C:/PROGRA~1/Foswiki/Foswiki/pub/"> sections...
AuthName "MyCompany Windows Domain"
AuthType SSPI
SSPIAuth On
SSPIDomain MyCompany
SSPIAuthoritative On
SSPIPerRequestAuth On
Require valid-user
... AuthUserFile, AuthName and AuthBasic declarations were commented out, and the Require user declaration was changed from admin to my login in the {LoginManager} was set to ApacheLogin, {AllowLoginName} was checked and {PasswordManager} set to none.
Tested with IE 6.0 and Firefox 3.0.3 clients. Wireshark didn't display any issues with the requests to rest, save, upload, etc. No problems attaching files via the WYSIWYG editor popup, and no problems with saves having incorrect parameters nor errors in the Apache log. Note that I still had to use SSPIPerRequestAuth on in the directory sections within my Foswiki.conf because of mod_auth_sspi v1.0.4 failing to handle IE's renewed NTLM negotiate with a empty POST (a small conciliation).
I suggest that you can close this out. Keep up the good work guys!
-- LeeRyman - 15 Apr 2009
Thanks Lee, that's excellent news. Closing.
-- CrawfordCurrie - 15 Apr 2009 ItemTemplate edit
| Summary | Plugin does not work if using NTLM |
| ReportedBy | TWiki:Main.LarsHaarber |
| Codebase | |
| SVN Range | TWiki-5.0.0, Sun, 27 Jul 2008, build 17148 |
| AppliesTo | Extension |
| Component | TinyMCEPlugin |
| Priority | Urgent |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | distro:35f443da2c68 |
| TargetRelease | patch |
| ReleasedIn |
Edit | Attach | Print version | History: r17 < r16 < r15 < r14 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r17 - 15 Apr 2009, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy