[
https://issues.apache.org/jira/browse/TS-3866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14733297#comment-14733297
]
Aaron McClimont commented on TS-3866:
-------------------------------------
Lief,
I was able to reproduce using the Traffic Server 6.0.x branch (as at
4-Sept-2015) against a new installation of IIS 7.5 running on Windows Server
2008R2. The Windows Authentication role service was the only additional
feature that I needed to enable. A new site was created in IIS with a single
index page. The Authentication for the site had Anonymous Authentication
disabled and Windows Authentication enabled.
The web browsers used were IE 9 and Firefox 35.0.1, and the outcome is the
same for both HTTP and HTTPS.
The setting proxy.config.http.auth_server_session_private is set to 1, and I
can't find the 6.0 equivalent to the setting
proxy.config.http.share_server_sessions if it even still exists.
In hope that it helps, the following are the headers sent and received when
using the build of 6.0.x.
A summary of the below: The initial request (#1) is sent and the source
server responding asking for authentication details. Requests 2 and 3 represent
the first automatic handshake attempt without prompting the user, but the
authentication fails and the prompt is displayed to the user. The user puts in
their authentication details, but the cycle repeats with the requests 4 and 5
and onwards...
Initial Request:
{code:title=Request 1}
GET http://rhel6rpmbuild/helloworld HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: rhel6rpmbuild
{code}
{code:title=Response 1}
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: ATS/6.0.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Mon, 07 Sep 2015 06:17:36 GMT
Content-Length: 1293
Age: 0
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet
MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the
credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
{code}
The following two requests are immediately and automatically sent, resulting in
the "Authentication Required" prompt being displayed by the browser:
{code:title=Request 2}
GET http://rhel6rpmbuild/helloworld HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: rhel6rpmbuild
Authorization: NTLM <snip>
{code}
{code:title=Response 2}
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: ATS/6.0.0
WWW-Authenticate: NTLM <snip>
Date: Mon, 07 Sep 2015 06:17:36 GMT
Content-Length: 341
Age: 0
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01//EN""http://www.w3.org/TR/html4/strict.dtd";>
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
{code}
{code:title=Request 3}
GET http://rhel6rpmbuild/helloworld HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Authorization: NTLM <snip>
Host: rhel6rpmbuild
{code}
{code:title=Response 3}
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: ATS/6.0.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Mon, 07 Sep 2015 06:17:36 GMT
Content-Length: 1293
Age: 0
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet
MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the
credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
{code}
Requests 2 and 3 are then repeated, with the "Authentication Required" prompt
being displayed each time:
{code:title=Request 4}
GET http://rhel6rpmbuild/helloworld HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Authorization: NTLM <snip>
Host: rhel6rpmbuild
{code}
{code:title=Response 4}
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: ATS/6.0.0
WWW-Authenticate: NTLM <snip>
Date: Mon, 07 Sep 2015 06:17:46 GMT
Content-Length: 341
Age: 0
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01//EN""http://www.w3.org/TR/html4/strict.dtd";>
<HTML><HEAD><TITLE>Not Authorized</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Authorized</h2>
<hr><p>HTTP Error 401. The requested resource requires user authentication.</p>
</BODY></HTML>
{code}
{code:title=Request 5}
GET http://rhel6rpmbuild/helloworld HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729;
Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Authorization: NTLM <snip>
Host: rhel6rpmbuild
{code}
{code:title=Response 5}
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: ATS/6.0.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Mon, 07 Sep 2015 06:17:46 GMT
Content-Length: 1293
Age: 0
Connection: keep-alive
Proxy-Support: Session-Based-Authentication
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet
MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the
credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
{code}
Here's an update on what does and doesn't work:
* Direct to source server: Successful
* via Traffic Server 4.1.2: Successful
* via Traffic Server 5.3.0: Fails
* via Traffic Server 5.3.1: Fails
* via Traffic Server 6.0.x: Fails (at source dated 4-Sept-2015)
Let me know if there is anything else I can test in version 6.0. I will
attempt to test against master soon.
Thanks,
Aaron.
> Browser always prompts for authentication (NTLM) - Regression?
> --------------------------------------------------------------
>
> Key: TS-3866
> URL: https://issues.apache.org/jira/browse/TS-3866
> Project: Traffic Server
> Issue Type: Bug
> Affects Versions: 5.3.0, 5.3.1
> Environment: RHEL 6.5 64-bit
> Reporter: Aaron McClimont
> Fix For: 6.1.0
>
>
> NTLM authentication through Apache TrafficServer version 5.3.1 appears to be
> broken, with the authentication prompt being displayed repeatedly.
> Version 4.1.2 (using the same configuration files) works successfully.
> Notes:
> * HTTPS does not resolve the issue in version 5.3.1 like it does with version
> 4.1.2
> * proxy.config.http.share_server_sessions is set to 0 (default: 2)
> * proxy.config.http.auth_server_session_private is set to 1
> This issue appears to be related to TS-1491 identified in the 3.2 releases.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
