You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@manifoldcf.apache.org by "Karl Wright (JIRA)" <ji...@apache.org> on 2012/11/29 02:13:57 UTC
[jira] [Created] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Karl Wright created CONNECTORS-572:
--------------------------------------
Summary: SharePoint connector does not authenticate properly against some SharePoint instances
Key: CONNECTORS-572
URL: https://issues.apache.org/jira/browse/CONNECTORS-572
Project: ManifoldCF
Issue Type: Bug
Components: SharePoint connector
Affects Versions: ManifoldCF 1.0.1, ManifoldCF 1.0
Reporter: Karl Wright
Assignee: Karl Wright
Fix For: ManifoldCF 1.1
The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient, where the NTLM Type-2 response user name is not the same as the NTLM Type-3 message user name. In particular, we've seen "administrator" be passed in in the Type 1 message, and "\administrator" come back in the Type 2 response, and if "administrator" is passed in again in the Type 3 message, authentication fails.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13509795#comment-13509795 ]
Karl Wright commented on CONNECTORS-572:
----------------------------------------
I've opened ticket HTTPCLIENT-1266 to track improvements to NTLM handling in httpcomponents httpclient.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient. cURL authenticates just fine, and even when all headers are changed to be identical to what MCF is sending, it continues to authenticate properly.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506114#comment-13506114 ]
Karl Wright commented on CONNECTORS-572:
----------------------------------------
Created a branch, CONNECTORS-572, where I intend to check in a stop-gap workaround for the issue, to see if we've got it right on site.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient, where the NTLM Type-2 response user name is not the same as the NTLM Type-3 message user name. In particular, we've seen "administrator" be passed in in the Type 1 message, and "\administrator" come back in the Type 2 response, and if "administrator" is passed in again in the Type 3 message, authentication fails.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507392#comment-13507392 ]
Karl Wright commented on CONNECTORS-572:
----------------------------------------
I think there are indeed flag issues. The following document is very helpful:
http://msdn.microsoft.com/en-us/library/cc236650%28v=prot.20%29.aspx
It shows that we are sending along data but not including the appropriate flags that indicate that is what we are doing.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient, where the NTLM Type-2 response user name is not the same as the NTLM Type-3 message user name. In particular, we've seen "administrator" be passed in in the Type 1 message, and "\administrator" come back in the Type 2 response, and if "administrator" is passed in again in the Type 3 message, authentication fails.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Wright resolved CONNECTORS-572.
------------------------------------
Resolution: Fixed
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient. cURL authenticates just fine, and even when all headers are changed to be identical to what MCF is sending, it continues to authenticate properly.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Wright updated CONNECTORS-572:
-----------------------------------
Description:
The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient.
was:
The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient, where the NTLM Type-2 response user name is not the same as the NTLM Type-3 message user name. In particular, we've seen "administrator" be passed in in the Type 1 message, and "\administrator" come back in the Type 2 response, and if "administrator" is passed in again in the Type 3 message, authentication fails.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13510889#comment-13510889 ]
Karl Wright commented on CONNECTORS-572:
----------------------------------------
Fix to httpcomponents seems to have been successful, at least for the cases I've tried.
I still need a final resolution as to how to download patched stuff, but that will be another ticket - and hopefully there will be a patch release from httpcomponents before too long.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient. cURL authenticates just fine, and even when all headers are changed to be identical to what MCF is sending, it continues to authenticate properly.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Karl Wright updated CONNECTORS-572:
-----------------------------------
Description:
The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient. cURL authenticates just fine, and even when all headers are changed to be identical to what MCF is sending, it continues to authenticate properly.
was:
The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient. cURL authenticates just fine, and even when all headers are changed to be identical to what MCF is sending, it continues to authenticate properly.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13506963#comment-13506963 ]
Karl Wright commented on CONNECTORS-572:
----------------------------------------
So far no joy - could not confirm that user name differences had anything to do with the failure.
I have a pair of captures, however - maybe that will help determine if there is a flags problem or something.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient, where the NTLM Type-2 response user name is not the same as the NTLM Type-3 message user name. In particular, we've seen "administrator" be passed in in the Type 1 message, and "\administrator" come back in the Type 2 response, and if "administrator" is passed in again in the Type 3 message, authentication fails.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CONNECTORS-572) SharePoint connector does not
authenticate properly against some SharePoint instances
Posted by "Karl Wright (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CONNECTORS-572?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13507446#comment-13507446 ]
Karl Wright commented on CONNECTORS-572:
----------------------------------------
Advice from Michael Allen:
"There is definitely nothing new in NTLM. Note that I don't think cURL even does NTLMv2 and in general it's NTLM behavior is a joke so I wouldn't even bother with that.
The standard procedure is to study and emulate exactly the oldest supported version of the standard client which would be Windows XP (but also occasionally try something new like Windows 7). Write a small VBScript program that makes an HTTP call against IIS but run it from a workstation that isn't joined to the domain so that it doesn't do Kerberos. Look at it with Wireshark and get all your flags right and all that jazz. I suspect you'll find something off with the HTTP handshake or your NTLM code."
Since I don't have lots of Windows machines around, I'm going to have to modify the implementation based on the spec as described in the link in the previous comment. The hope is that Microsoft's documentation is at least reasonably accurate. The flag changes so far anticipated seem relatively contained, but I will need to very carefully read the spec before I'm sure we've got everything covered.
> SharePoint connector does not authenticate properly against some SharePoint instances
> -------------------------------------------------------------------------------------
>
> Key: CONNECTORS-572
> URL: https://issues.apache.org/jira/browse/CONNECTORS-572
> Project: ManifoldCF
> Issue Type: Bug
> Components: SharePoint connector
> Affects Versions: ManifoldCF 1.0, ManifoldCF 1.0.1
> Reporter: Karl Wright
> Assignee: Karl Wright
> Fix For: ManifoldCF 1.1
>
>
> The SharePoint connector does not always authenticate against the SharePoint instance. The problem may be a bug in commons-httpclient, and a corresponding problem in httpcomponents/httpclient, where the NTLM Type-2 response user name is not the same as the NTLM Type-3 message user name. In particular, we've seen "administrator" be passed in in the Type 1 message, and "\administrator" come back in the Type 2 response, and if "administrator" is passed in again in the Type 3 message, authentication fails.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira