Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-15376

NTLM authentication sometimes fails with IE10+ (chrome OK) - concurrent socket threads

    Details

      Description

      How to reproduce?
      ================
      1) create a 5.0.2 system (linux pg tomcat) with "passthru" authentication.
      2) enable SSO in Share config custom.
      3) increase log4j verbosity settings:

      log4j.logger.org.alfresco.web.app.servlet.NTLMAuthenticationFilter=debug
      log4j.logger.org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter=debug
      log4j.logger.org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter=debug
      

      4) confirm that the attached script works when passing the username and password of an AD user:

      ./simple_ntlm.py -u administrator -p mypass 
      

      ends with a block starting with

      Received 'HTTP/1.1 200 OK
      

      5) rerun the script above with the -c option (that enables 2 concurent NTLM negotiate for the same user with same session):

      ./simple_ntlm.py -u administrator -p mypass -c
      

      Results:
      =======
      Authentication fails, with script output ending with:

      .........
      sending S2  GET /alfresco/webdav HTTP/1.1
      Accept-Encoding: identity
      Host: localhost:8080
      Cookie: JSESSIONID=B7800B41D2A19A0142ABCFECD17ADDF9;
      Connection: Close
      Authorization: NTLM TlRMTVNTUAADAAAAAAAAAGgAAAAYABgAaAAAAA4ADgBAAAAAGgAaAE4AAAAAAAAAaAAAABAAEACAAAAAARAAAEUAWABBAE0AUABMAEUAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBgRraAwuqIYkHSrZmwesio+bbT9fjXT6GO3fwH5MTMgIOYEDJuJHzF
      User-Agent: Python-urllib/2.7
      
      
       Received 'HTTP/1.1 401 Unauthorized\r\nServer: Apache-Coyote/1.1\r\nWWW-Authenticate: NTLM\r\nWWW-Authenticate: Basic realm="Alfresco Server"\r\nTransfer-Encoding: chunked\r\nDate: Fri, 11 Dec 2015 14:01:22 GMT\r\nConnection: close\r\n\r\n0\r\n\r\n' 
      

      and logs showing:

       2015-12-11 15:01:22,102  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] Received type1 [Type1:0x20803005,Domain:EXAMPLE,Wks:madona]
       2015-12-11 15:01:22,102  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] Client domain EXAMPLE
       2015-12-11 15:01:22,103  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] Searching for local server name.
       2015-12-11 15:01:22,103  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] Sending NTLM type2 to client - [Type2:0x1,Target:MADONA,Ch:26052373e98e6e60]
       2015-12-11 15:01:22,104  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] Received type1 [Type1:0x20803005,Domain:EXAMPLE,Wks:madona]
       2015-12-11 15:01:22,105  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] Client domain EXAMPLE
       2015-12-11 15:01:22,106  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] Searching for local server name.
       2015-12-11 15:01:22,106  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] Sending NTLM type2 to client - [Type2:0x1,Target:MADONA,Ch:dcdef0a06cd549fb]
       2015-12-11 15:01:22,107  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] Received type3 [Type3:,LM:<Null>,NTLM:cd2b142000cd9ac3618bcdcb10be4e4b0974267496a20b19,Dom:EXAMPLE,User:administrator,Wks:,SessKey:8eddfc07e4c4cc80839810326e247cc5,Flags:0x1001]
       2015-12-11 15:01:22,118  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] Authentication failed, 11110002 Logon failure
       2015-12-11 15:01:22,118  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-8] restartLoginChallenge...
       2015-12-11 15:01:22,119  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] Received type3 [Type3:,LM:<Null>,NTLM:6046b680c2ea886241d2ad99b07ac8a8f9b6d3f5f8d74fa1,Dom:EXAMPLE,User:administrator,Wks:,SessKey:8eddfc07e4c4cc80839810326e247cc5,Flags:0x1001]
       2015-12-11 15:01:22,121  WARN  [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] Authentication failed: NTLM details can not be retrieved from session. Client must support cookies.
       2015-12-11 15:01:22,121  DEBUG [webdav.auth.NTLMAuthenticationFilter] [http-bio-8080-exec-9] restartLoginChallenge...
       

      Expected result:
      ================
      the script works even with the -c option, see notes below.

      Notes:
      ======
      1) this issue was discovered by a customer that was using 'passthru' with IE10 as a client and hitting directly URL:

      http://server:8080/share/page/dp/ws/faceted-search
      

      2) the issue was random and seemed to happen only on pages that are slow to display
      3) the issue was specific to IE10 (and above IE11 also affected), chrome always working
      4) analysis made by support of the working network traces (chrome) and failing network traces (IE10) showed a big difference in behaviour:
      while chrome was opening one unique TCP/IP socket to the alfresco server, and sending the two NTLM (negotiate and authenticate) requests on that socket, IE10 was somehow getting impatient and opening a 2nd socket to the other page components, starting a new NTLM authentication on a 2nd socket, but using the same JSESSIONID that was retrieved from the first socket. see attached ntlm2sockets.png
      5) googling about how IE10 manages sockets, one seem to confirm that to increase the speed of display, IE10 may open several connections. See attached PDF networking_ie10.pdf
      6) the WARN line in the logs:

      Client must support cookies.
      

      is misleading, as the client does support cookie. That probably should be changed to.
      7) this fails also with an alfrescoNtlm system with

      ntlm.authentication.sso.enabled=true
      

      and with NTLMv1 and NTLMv2 protocols (this can be controlled using the -l option of my script, see -h to get the full list of options)
      As the errors shown is the logs are different than in the case with "passthru", I used passthru to log this jira (to match the customer logs)
      8) another option would have been to slow down the response from Alfresco and Share to force IE10 to open more connections. I decided to write this test case as it seems clearer to reproduce and QA can easily tell if the issue is fixed or not.
      9) I am not 100% sure this is a bug. However as we support IE10, we should consider this a bug as we have no control over how the client will talk to alfresco. It seems that we allocate to one session (one JSESSIONID) only one negotiation information. Maybe a fix would imply keeping a list of the negotiation packets received.
      10) the script relies for the NTLM cryptography side on the python library ntlmlib
      https://github.com/ianclegg/ntlmlib
      To install it (see project home page above), just do:

      pip install ntlmlib
      

      11) there are other NTLM libraries. One other python library that is popular is python-ntlm. I could not however make it work with both NTLMv1 and NTLMv2.

        Attachments

        1. dump1.pcap
          70 kB
        2. dump2.pcap
          38 kB
        3. networking_ie10.pdf
          827 kB
        4. ntlm2sockets.png
          ntlm2sockets.png
          14 kB
        5. simple_ntlm.py
          7 kB

          Issue Links

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                amadon Alex Madon [X] (Inactive)
              • Votes:
                2 Vote for this issue
                Watchers:
                19 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 weeks, 4 days, 6 hours, 15 minutes
                  2w 4d 6h 15m