Bug #35004 for NTLM: Fails to authenticate against some IIS 6.x servers

Mon Apr 14 08:29:52 2008 nigel.metheringham [...] Dev.intechnology.co.uk - Ticket created

Subject:

Fails to authenticate against some IIS 6.x servers

As per bug #9521 the NTLM authentication mechanism can fail to work against some IIS servers. Although changes were made in version 1.03 authentication fails to work against the servers I can test against here. However the alternative fix suggested in that ticket does work. I have attached a patch which fixes the problem for me, although I cannot tests against servers which did work with the previous mechanism.

Subject:

NTLM-1.03-domain.patch

# This is a patch for NTLM-1.03.orig to update it to NTLM-1.03 # # To apply this patch: # STEP 1: Chdir to the source directory. # STEP 2: Run the 'applypatch' program with this patch file as input. # # If you do not have 'applypatch', it is part of the 'makepatch' package # that you can fetch from the Comprehensive Perl Archive Network: # http://www.perl.com/CPAN/authors/Johan_Vromans/makepatch-x.y.tar.gz # In the above URL, 'x' should be 2 or higher. # # To apply this patch without the use of 'applypatch': # STEP 1: Chdir to the source directory. # STEP 2: Run the 'patch' program with this file as input. # #### End of Preamble #### #### Patch data follows #### diff -u 'NTLM-1.03.orig/NTLM.pm' 'NTLM-1.03/NTLM.pm' Index: ./NTLM.pm --- ./NTLM.pm Mon Apr 14 11:58:47 2008 +++ ./NTLM.pm Mon Apr 14 12:01:25 2008 @@ -174,7 +174,7 @@ $challenge = decode_base64($challenge); $c_info = &decode_challenge($challenge); $u_user = &unicode($user); - $domain = substr($challenge, $c_info->{domain}{offset}, $c_info->{domain}{len}); + $domain = &unicode($domain); $response = pack($msg3, $ident, 3); $lmResp = &lmEncrypt($c_info->{data}); $ntResp = &ntEncrypt($c_info->{data}); diff -u 'NTLM-1.03.orig/t/ntlm.t' 'NTLM-1.03/t/ntlm.t' Index: ./t/ntlm.t --- ./t/ntlm.t Mon Apr 14 11:58:47 2008 +++ ./t/ntlm.t Mon Apr 14 12:29:02 2008 @@ -23,7 +23,7 @@ my $passwd = "test"; my $msg1 = "TlRMTVNTUAABAAAAB7IAAAQABAAgAAAABAAEACQAAAB0ZXN0dGVzdA=="; my $challenge = "TlRMTVNTUAACAAAABAAEADAAAAAFggEAQUJDREVGR0gAAAAAAAAAAAAAAAAAAAAAdGVzdA=="; -my $msg2 = "TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAQABABwAAAACAAIAHQAAAAIAAgAfAAAAAAAAABEAAAABYIBAJ7/TlMo4HLg0gOk6iKq4bv2vk35ozHEKKoqG8nTkQ5S82zyqpJzxPDJHUMynnKsBHRlc3R0AGUAcwB0AHQAZQBzAHQA"; +my $msg2 = "TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAgACABwAAAACAAIAHgAAAAIAAgAgAAAAAAAAABIAAAABYIBAJ7/TlMo4HLg0gOk6iKq4bv2vk35ozHEKKoqG8nTkQ5S82zyqpJzxPDJHUMynnKsBHQAZQBzAHQAdABlAHMAdAB0AGUAcwB0AA=="; # 2: username #### End of Patch data #### #### ApplyPatch data follows #### # Data version : 1.0 # Date generated : Mon Apr 14 12:29:27 2008 # Generated by : makepatch 2.03 # Recurse directories : Yes # Excluded files : (\A|/).*\~\Z # (\A|/).*\.a\Z # (\A|/).*\.bak\Z # (\A|/).*\.BAK\Z # (\A|/).*\.elc\Z # (\A|/).*\.exe\Z # (\A|/).*\.gz\Z # (\A|/).*\.ln\Z # (\A|/).*\.o\Z # (\A|/).*\.obj\Z # (\A|/).*\.olb\Z # (\A|/).*\.old\Z # (\A|/).*\.orig\Z # (\A|/).*\.rej\Z # (\A|/).*\.so\Z # (\A|/).*\.Z\Z # (\A|/)\.del\-.*\Z # (\A|/)\.make\.state\Z # (\A|/)\.nse_depinfo\Z # (\A|/)core\Z # (\A|/)tags\Z # (\A|/)TAGS\Z # p 'NTLM.pm' 7320 1208170885 0100744 # p 't/ntlm.t' 1973 1208172542 0100644 #### End of ApplyPatch data #### #### End of Patch kit [created: Mon Apr 14 12:29:27 2008] #### #### Patch checksum: 61 2595 36004 #### #### Checksum: 79 3279 26798 ####

Sat May 31 11:40:22 2008 BUZZ [...] cpan.org - Correspondence added

From:

BUZZ [...] cpan.org

Please re-test this bug agains NTLM 1.04 (as it adds NTLMv2 support), and report it this is still a problem.

Sat May 31 11:40:25 2008 The RT System itself - Status changed from 'new' to 'open'

Tue Jun 03 04:52:03 2008 matt [...] bodgit-n-scarper.com - Correspondence added

On Sat May 31 11:40:22 2008, BUZZ wrote: Show quoted text

> Please re-test this bug agains NTLM 1.04 (as it adds NTLMv2 support), > and report it this is still a problem.

I was having issues authenticating against a sole IIS server and adding this patch to 1.04 (adjusted slightly for the new code) fixed the issue for me.

Tue Jun 03 05:52:23 2008 nigel.metheringham [...] Dev.intechnology.co.uk - Correspondence added

Subject:	Unable to reproduce bug with 1.04 or 1.03
From:	nigel.metheringham [...] Dev.intechnology.co.uk

On Sat May 31 11:40:22 2008, BUZZ wrote: Show quoted text

> Please re-test this bug agains NTLM 1.04 (as it adds NTLMv2 support), > and report it this is still a problem.

I can't reproduce the problem against our IIS 6.0 server at present when using NTLM 1.04. However, when I downgraded to standard NTLM 1.03 (ie not with the patch I previously used) it also authenticated correctly - which previously did not work. Our MIS people say there have been no patches to the IIS server or configuration changes to it in the meantime, although part of our AD structure has changed. At present I can't confirm or reject that the 1.04 changes have addressed the problem.

Tue Jun 03 08:30:09 2008 BUZZ [...] cpan.org - Correspondence added

From:

BUZZ [...] cpan.org

MAT, Can you please advise what version of IIS server you are using, and please give details of the "adjustment/s" you made (or supply the modified .pm code so we can diff against it). Ta, Buzz.

Tue Jun 03 08:34:13 2008 BUZZ [...] cpan.org - Correspondence added

Nigel, thanks for the feedback... Re: Show quoted text

> At present I can't confirm or reject that the 1.04 changes have > addressed the problem.

As the original opener of this ticket, and since you can't currently recreate the original reason for this proposed patch, are you happy for it to be closed off until such time as the problem re-occurs? Buzz.

Tue Jun 03 08:34:15 2008 BUZZ [...] cpan.org - Status changed from 'open' to 'stalled'

Sat Aug 30 03:01:27 2008 BUZZ [...] cpan.org - Status changed from 'stalled' to 'resolved'