# Website problem: Firefox, Linux, SPNEGO and NTLM

## salahx

One of the last thinks keeping me from going all-Linux is my workplace's website. While the site renders fine, I can't authenticate to it from home under Linux, however it does work under Windows (both IE and Firefox). Under Linux. I keep getting a 401 error.

The site itself uses Negotiate auth (SPNEGO). On Windows, both Firefox an IE correctly negotiate NTLM. IE prompts for a username and password (although oddly enough, the site doesn't seem to care what gets passed). Firefox just goes right to the site.  But under Linux, Firefox just gives a 401 error, because it does not have a SPNEGO implementation - it relies on the system GSSAPI SPNEGO libraries. It does have an NTLM implementation, however. I've tried both mit-krb5 and heimdal implementation of SPNEGO, but both seem to want to negotiate Kerberos, which isn't what I want. 

With great diffucly, I did manage to get a capture (the site uses https, I have only one Windows machine, so involed some magic involing Fiddler's SSL interception abilites and some iptables magic, since winpcap can't capture localhost packets:

Client issues request:

```

GET /whatever HTTP/1.1

```

Server replies:

```

HTTP/1.1 401 Unauthorized

Www-authenticate: Negotiate

```

As expected. On linux, it gives up at that point. Under Windows, its gets further:

```

GET /whatever

Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==

```

Server replies:

```

HTTP/1.1 200 OK

```

Dissection the SPNEGO token reveals:

```

    Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAHIXAAAADw==\r\n

        NTLM Secure Service Provider

            NTLMSSP identifier: NTLMSSP

            NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)

            Flags: 0xe2088297

                1... .... .... .... .... .... .... .... = Negotiate 56: Set

                .1.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Set

                ..1. .... .... .... .... .... .... .... = Negotiate 128: Set

                ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set

                .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set

                .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set

                .... ..1. .... .... .... .... .... .... = Negotiate Version: Set

                .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set

                .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set

                .... .... .0.. .... .... .... .... .... = Request Non-NT Session: Not set

                .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set

                .... .... ...0 .... .... .... .... .... = Negotiate Identify: Not set

                .... .... .... 1... .... .... .... .... = Negotiate Extended Security: Set

                .... .... .... .0.. .... .... .... .... = Target Type Share: Not set

                .... .... .... ..0. .... .... .... .... = Target Type Server: Not set

                .... .... .... ...0 .... .... .... .... = Target Type Domain: Not set

                .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set

                .... .... .... .... .0.. .... .... .... = Negotiate 0x00004000: Not set

                .... .... .... .... ..0. .... .... .... = Negotiate OEM Workstation Supplied: Not set

                .... .... .... .... ...0 .... .... .... = Negotiate OEM Domain Supplied: Not set

                .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set

                .... .... .... .... .... .0.. .... .... = Negotiate NT Only: Not set

                .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set

                .... .... .... .... .... ...0 .... .... = Negotiate 0x00000100: Not set

                .... .... .... .... .... .... 1... .... = Negotiate Lan Manager Key: Set

                .... .... .... .... .... .... .0.. .... = Negotiate Datagram: Not set

                .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set

                .... .... .... .... .... .... ...1 .... = Negotiate Sign: Set

                .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set

                .... .... .... .... .... .... .... .1.. = Request Target: Set

                .... .... .... .... .... .... .... ..1. = Negotiate OEM: Set

                .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set

            Calling workstation domain: NULL

            Calling workstation name: NULL

            Version 6.0 (Build 6002); NTLM Current Revision 15

                Major Version: 6

                Minor Version: 0

                Major Version: 6002

                NTLM Current Revision: 15

    \r\n

```

I have the correct sites set in "network.negotiate-auth.trusted-uris". Is there anyway I can get this to work without resorting to extreme measures?

----------

## gerdesj

I think you answer the question with - on IE it doesn't matter what user/pass is requested.  Your intranet sysadmins are plonkers!

Can you point out to them that any user/pass works?

SPNEGO uses Kerb, NTLM etc (see Wikipedia article)

Lacking further info/inspiration, have a look at "ntlmaps". Its been good to me in the past and may do the trick.

Cheers

Jon

----------

## salahx

The fact it takes any username and password is semi-deliberate. Its still requires a form-based login, except on the internal network - the web application can use Kerberos delegated credentials to login in automatically on IE7 and IE8, but unfortunately much of my company still uses IE6, which falls back to NTLM and brings up the form based login. I don't care if the delegated credential feature works, I just want it to bring up the page so I can login via the webform. 

ntlmaps isn't working for me, and it doesn't seem to be the right application for what I'm trying to do anyway. What I need to know is how (if it can be done) is to setup one the linux GSSAPI SPNEGO implementation (like the ones in mit-krb5 or heimdal) to work the way Windows SSPI does, and negotiate NTLM if it cannot negotiate Kerberos (which it obviously can't).

----------

## gerdesj

OK - what system does this websitw actually use (SharePoint perhaps?)

Cheers

Jon

----------

## salahx

Sharepoint? Probably, most of the company is a rat maze of Sharepoint sites. Though the headers mention some java serverlet proxy.

Right now I'm trying Heimdal. it has a GSSAPI implementation for both SPNEGO and NTLM. But it still isn't working

First attempt:

```

service = my.company.com

using negotiate-gss

entering nsAuthGSSAPI::nsAuthGSSAPI()

Attempting to load gss functions

entering nsAuthGSSAPI::Init()

nsHttpNegotiateAuth::GenerateCredentials_1_9_2() [challenge=Negotiate]

entering nsAuthGSSAPI::GetNextToken()

gss_import_name() failed:  Miscellaneous failure (see text)

unable to find realm of host ardvarc

```

ok, so I filled in /etc/krb5.conf. Try again. Now its a different error:

```

gss_init_sec_context() failed:  An unsupported mechanism was requested

unknown mech-code 0 for mech unknown

leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

```

So far, can't get past that point.

----------

