Poor interoperability with NTLM

[rogerb@…]

I have Trac running using mod_python on Gentoo with Trac in the root of the web server. Client is Windows 2000 Professional.

When using Firefox to make a new ticket, everything goes fine. When using IE, I just get the main page again on hitting submit.

I used Ethereal to see what is going on. With Firefox it does a POST with all the relevant data. IE does a POST but doesn't include any data.

I can't see any particular reason why IE isn't supplying the data ...

[rogerb@…]

I have tracked it down to an authentication issue. I am authenticated using NTLM. If I am a logged in user, then IE sends no content when the POST happens (to /). If I am not logged in then it has no issue with this.

Presumably it is trying to keep my content "safe" when authenticated. I even tried adding the system to the trusted sites list. This issue also affects wiki page editing and presumably all other form submissions.

Forcing the authentication against / solves the problem, but means that it is impossible to give anonymous read only access.

I think this could be solved by making all form submissions go against Trac's root for unauthenticated users and against /login or a sub path of that for authenticated users so that there is no mixing and matching and authenticated contexts and forms.

[rogerb@…]

Ok, the final scoop. Ugly details are at http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication

Note especially the paragraph:

---

A notable exception to the above is the client's behavior when submitting a POST request (typically employed when the client is sending form data to the server). If the client determines that the server is not the local host, the client will initiate reauthentication for POST requests over the active connection. The client will first submit an empty POST request with a Type 1 message in the "Authorization" header; the server responds with the Type 2 message (in the "WWW-Authenticate" header as shown above). The client then resubmits the POST with the Type 3 message, sending the form data with the request.

---

That means that if you use NTLM authentication, all POSTs must go to a location that demands authentication (Require valid-user)

One solution is to <Limit POST> in the root location to require authentication. That will keep IE happy, but will only allow authenticated users to do POSTs.

The only correct fix is to make authenticated users do POSTs to /login or a child thereof and non-authenticated to still go to the root.

[Matthew Good <trac matt-good net>]

Well, I would think that the correct fix would be for Apache to handle this itself, but maybe there's something that I'm missing.

Something seems kind of weird about making the posts go to the login path, but that might just be me. I believe that Trac could avoid this by looking for the "Authorization" header and sending the Type 2 response. Although specializing the code like that to handle NTLM may be a bit ugly, and the post to /login solution might actually be a bit more elegant.

However, all that said, I would think that you should still submit a bug report on Apache about this (or check if there is one already). Have you tried it with CGI? I don't know if Apache would handle this any differently because of mod_python compared to other setups.

[rogerb@…]

The problem is a different view of the world between Trac and NTLM. Trac believes you should only ever have to authenticate once at one place and gives you a cookie for use from then on.

NTLM believes you should never hand over data to a server unless the server and client can mutually verify each other. NTLM also does authentication on the first request of a persistent connection, but Trac manages to subvert that by using the cookie.

I did try to configure Apache in various ways using either mod_python or cgi. Unfortunately it gets very difficult as all the POST action happens to the root of the Trac object space and I tried various gymnastics to get it to not affect items below as well. Things get even more difficuly since I still wanted anonymous read only access.

I don't believe it is possible to configure modntlm to optionally do authentication but only if the client requests it.

Perhaps another way of doing this is to have an explicit path that POSTS go to (ie not the root of the Trac namespace) since that will help with the inherited settings issues. It would be even nicer if the different locations are based on the action that is happening since it will allow me to use Apache access control directives to do authentication, logging, redirects (eg to SSL), IP based access etc.

For example, modifying tickets could go to /forms/tickets and modifying the wiki could go to /forms/wiki. Changes to views such as sort orders etc could go to /forms/views

[sid]

This ticket is a duplicate of #3338. (this ticket is also older, but that ticket has more information about solutions)

[rogerb@…]

Replying to sid:

This ticket is a duplicate of #3338. (this ticket is also older, but that ticket has more information about solutions)

That ticket is not a duplicate. They are using SSPI which is a different authentication mechanism and can only be used by servers running on Windows.

This ticket is for NTLM which is what is available on non-Windows platforms (mod_ntlm proxies to a Windows box behind the scenes). The infrastructure in the web server differs and the interoperability issues differ.

However I am no longer in a position to test any solutions (Windows free environment :-) so you can keep this closed if you believe it doesn't affect any other Unix admins.