PDA

View Full Version : NTLM authentication affects IE's posting capability?



mikee
23 Oct 2007, 3:04 PM
After a good day of debugging (why isn't there a firebug for IE) and packet sniffing I believe I've narrowed my problem down to an issue that totally baffles me...

--

I'm using params with "updater" (submits using POST) , and tree-loader that also use POST to submit the node-info (default).

Things work great, with IE and FFOX **until** you turn on NTLM authentication (apache2x).

( http://modntlm.sourceforge.net/ )
--

After that ExtJS inside IE *REFUSES* to POST data to the server anymore (the POST-variables never make it to the web-server for both UPDATE and TreeLoader.. they disappear somewhere inside IE/ExtJS?). GET variable posting seems to work fine however... (just POST variables never make it to the server)

NOTE: FFox continues to work properly, and POSTS its data like nothing happened.

--

Just to add a little more insult to injury, an accordion with a tree in it in the left-panel works fine... (also uses post as a tree-loader)... but when that tree calls (posts) for updates in the main/center panel, POSTS (from just IE) stop working... print_r output of REQUEST shows some session variables etc, but simply not the data POSTED.... (( again, works fine from FF and IE without NTLM authentication... breaks for JUST IE once NTLM authentication is turned on ))

Has anyone seen this before?
Does anyone have an idea of where this problem may be concentrated, and a good debugging strategy? (is this purely an IE issue, or some sort of NTLM/ExtJS interaction?)

thanks for any assistance.

-- MikeE

devnull
23 Oct 2007, 3:20 PM
I found that NTLM authentication and XHR just dont mix...
You have to perform the NTLM authentication prior to loading the webapp, and it has to be done in such a way that the NTLM headers will not be present after authentication (normally they are, this is what cases problems).
Fortunately, the NTLM authentication is normally only available to the folder and subfolders of where it was initially performed, so you can play some tricks with http redirects.
What I ended up doing to get around it was a bit complicated, but it works.
First, I check a session variable for user information (to see if we have already been authenticated). If no info exists, I do a server redirect to a seperate folder outside of my current folder structure, setting a session variable with path information so I know how to get back. In this seperate folder is the script that performs the authentication (which involves redirecting to itself several times), then saves the authenticated user information to the session and redirects back to the initial webapp folder. The script there now sees user information in the session, so continues normally.
If you are still confused (I would be, lol) feel free to ask questions. It may be a bit out of the scope of this forum, but I can post examples of my server side scripts that do all of this too (php).

mikee
23 Oct 2007, 8:59 PM
I fumbled onto this link describing some very wacky IE behavior:

http://www.websina.com/bugzero/kb/browser-ie.html

Turns out I was in DIRECT-violation of #1. (mixing NTLM-protected with unprotected).

I just *KNOW* this is going to cause me more trouble in the future, but for now it works fine if I move all php files into the NTLM protected area.... Perhaps its time to look into siteminder to see if its any cleaner than modNTLM. (please drop me a note if you have some experience with it)

thanks -- MikeE

devnull
24 Oct 2007, 7:06 AM
I've no idea what siteminder is. My environment is php in apache, on a linux box which is a member of an NT4 domain. Once NTLM authentication is complete, I use some winbind interaction to retrieve group memberships to use as permissions in the apps.
Glad to hear you got it worked out.