Safari proxy NTLM authentication on Lion

I working on an (let me say "enterprise") oddly problem. To connect to Internet our company make use of a http proxy, based on TrendMicro IWSS, configured to authenticate users with AD credential, forcing digest authentication with NTLM.
The loginout windows on safari reports "unencrypted" , but analyzing tcp/ip traffic with Wireshark, it really seems that NTLM has been used and so password is really crypted....anybody has noticed such behaviour ?

I have noticed this too when trying to connect to a Sharepoint server.
Reading elsewhere suggests this message "Your password will be sent unencrypted" is meant to come up when "Basic" authentication is requested by the server, which is understandable.
However, when I look at the headers coming back from the Sharepoint server, it is only offering NTLM authentication.
It kinda looks like the Safari developers wrote the following, back when there was only Digest and Basic:
if (method != Digest) {
Complain about unencrypted passwords
whereas they should have done
if (auth method == Basic) {
Complain about unencrypted passwords
Or something similar.

Similar Messages

Safari, Proxy Authentication, and Certificate Authorities ( for https )

A recent update to Safari has caused it to not work with our proxy authentication. It will not provide authentication details when looking up SSL certificate authorities, causing certificate errors on all https:// websites. All other traffic (http, https if certificate is bypassed, plugins, etc.) seem to work just fine. Is anyone else having this problem? If so, is there a fix?
It occurs on Mac and PC. I am using SquidGuard with NTLM authentication. All other browsers on our system (IE x.x, FireFox, Chrome, Opera ) don't have this issue.

I have the same problem and it's frustrating as can be.
What happens to me is that When I bring my laptop to work, and put it on the work network and launch Safari, Safari informs me that each of my plugins is invalid and then uninstalls them - I'm effectively not able to use any plug ins at work, and I have to go hunt them down when I get back home (for reference, The extensions are still physically in \users\me\Library\Safari\Extensions - so when I get home I can just double click on all of them)
I opened a case with apple and I encourage you to do the same. Perhaps if enough users complain they will find a gentler way to work with it.
They had me do a capture and after analyzing it said it was an issue with the work network and not being able to valdate the extensions.
It sounds like the same issue you have - as my work network uses a proxy as well.
The rep suggested that I use a different browser at work, but I'm so used to clicking safari, that I do it out of habit.
I really like Safari, and hope they get it fixed - Safari may not get respect in the windows world, but it's really a great browser - especially on a laptop where screen real estate is limited (where I often hit command-shift-\ to hide the address bar to see more of the page)
-Jack

NTLM Authentication Problems

Hello
I have the following scenario in my company for the development team: 1 server with SQUID proxy, 1 server with IIS7 and 1 site requiring NTLM authentication. NTLM is REQUIRED for compatibility purposes.
When i try to access the site from Windows XP or from other OS using safari or firefox i can access to the site and get the message "You are now authenticated using NTLM". No issues here.
When i am trying using Windows 7 or Windows 8 i get always the message "Proxy server isn't responding". I already followed several recommend steps on technet pages and forums (GPO's alterations, regedit values for NTLM, etc) and nothing works.
Does somebody has any idea? I am completely blocked.
Thanks in advance.

Hi,
Please take a try with the following steps:
1. Open "Tools" -> "Internet Options".
2. On the "Advanced" tab make sure the option "Security -> Enable Integrated Windows Authentication" is checked.
3. On the "Security" tab select "Local Intranet" -> "Sites" -> "Advanced" and add your server URL to the list.
Hope this may help
Best regards
Michael Shao
TechNet Community Support

Public-facing on-premises SharePoint with NTLM authentication

I've been searching for authentication best practices for public-facing SharePoint site but I didn't find any useful resources on the issue that is troubling me.
Assume I set up a web application with Classic NTLM authentication. On that web application I enable
Anonymous access. This means that users inside organization's network will be able to authenticate (actually use SSO) using organization's DC. They will be able to access and administer all content. All other anonymous users will be able to see
published content only i.e. content which is permitted to anonymous users.
My question is: Is this kind of setup a security issue because if a potential attacker hacks a WFE then he has direct access to DC?
Is FBA maybe a better solution for public-facing sites? Or maybe use NTLM, but create a separate domain with one-way trust to organization's domain?

There are many variations you can take with this - and really you need to consider more than just your content. For true separation:
I would have a dedicated DC to manage service accounts.
I would break up my DMZ behind firewall contexts with a reverse proxy publishing SharePoint at the edge.
proxy/firewall -- SP Server -- Firewall -- SQL/DC
For true separation you don't want to share any underlying infrastructure with internal either, although in reality logical separation is usually enough.
Now you have to deal with internal user authentication and how to handle that. The first thing is I would have at minimum two webs available, your primary for editing and the extended version for public access.
While a one way trust would work - you still do expose user info out to the public which you may not want. With this configuration you could configure people picker to only select from a particular OU to minimize this.
Another option however is to look at using ADFS between your domains and create the trust there. You would have to configure the farm for claims auth to make this work, but this would eliminate the possibility of probing all the users in AD or the OU you expose.
With the ADFS method when you update documents you user name is still tagged to content - however if you don't populate the user profiles this will be the only information available about any internal user.
You may even want to go a step further and when you extend the public site, use forms authentication but don't provide any users. Then there is no authenticated access from the public URL. And with ADFS/Reverse Proxy may you even be able to configure some pre
authentication for your internal users before they can even reach the internal SharePoint pages.
I would strongly consider moving to SharePoint 2013 and looking at the cross site publishing (2010 and below have the content publishing - but stay away from that, when it works it's great, but when it doesn't it's a PITA to get back in sync). with cross site
publishing you have an editing site and the publishing site pulls from the Search index and the permissions are completely separate.

Re: How to enable NTLM authentication in OSB???

Hi all,
We have the same problem trying to integrate OSB with and asmx service that uses NTLM.
We try an alternative, we have created the artifacts of asmx service using wsimport and we created a little java project using these artifacts. We also added a class with a static method in this project in order to be used by OSB java callout mechanism. When this project if used standalone (through eclipse) works fine and as the environment is windows server, it sends automatically to the client the credentials of user that is logged on windows domain. On the other hand when we deploy this java project in OSB as jar for callout we receive : Response: '401: Unauthorized' exactly at the point that the produced artifact class invokes the constructor of javax.xml.ws.Service in order to create an instance of the service.
Can it be the same problem stated by 830428?
The stack trace:
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:172),
com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:153),
com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197),
com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187),
weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:73),
weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:515),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:103),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:95),
weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:71),
javax.xml.ws.Service.<init>(Service.java:56),
org.tempuri.EDoc.<init>(EDoc.java:46),
after that (actually before) is just our code which calls the @WebServiceClient Class (the local artifacts which are used to call the actual web service).

Kuppusamy.V.,
We experiened the same issue as you and managed to find a solution to the problem.
The OSB does not support NTLM authentication, so you are quite correct in stating you must write a Java class and use a Java callout from an OSB Proxy Service.
Our Java class worked fine from the Unix commandline, but failed when deployed to the OSB and invoked by the proxy service with the dreaded '401 Unauthorised' error.
On closer inspection, the proxy service stack trace revealed:
java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://your.domain.here/default.aspx' at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
We noticed that the exception was being thrown from the WebLogic 'weblogic.net.http.HttpURLConnection' class and not the Sun 'java.net.HttpURLConnection' as we expected (and our Java code explicitly imported)!
We couldn't understand why a different HTTP handler was being invoked, but it got us thinking. And thinking. And raising an Oracle support ticket. And waiting.
Tired of waiting, we revisited the problem and chanced across the Javadoc for the 'java.net.URL' class and noticed one of the constructors allows you to specify a HTTP handler!
Instead of opening our URL with this typical usage:
URL url = new URL(yourURL);
HttpURLConnection http = (HttpURLConnection) url.openConnection();
We used:
URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
HttpURLConnection http = (HttpURLConnection) url.openConnection();
And, hey presto!, it worked a treat.
And we closed the Oracle service ticket. And stopped waiting :)
Regards,
Jerome

Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

Hi Folks,
I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
Authenticator.setDefault(new ReportAuthenticator());
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
Any help is greatly appreciated.
P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
best regards
Dushy

Hi,
we had the same problem, but we got support
from readme.txt
Bug#: 6789020
Agent type: All Agents
Description: In CDSSO mode non enforced POST requests cannot be accessed
Bug#: 6736820
Agent type: IIS 6 Agent
Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
Both bugs should be fixed in this version:
Sun Java System Web Agents 2.2-02 hotpatch2

NTLM Authentication with a domain controller/active directory

Hi,
I have a requirement to do an NTLM authentication with the MS active directory.
I am aware that JNDI doesn't support this protocol to communicate with the AD.
I have looked into couple of online solutions available but that doesn't seem to meet my requirement. Most of the solutions like (Apache commons NTLMScheme/NTCredentials and java.net.Authenticator etc...) are used for only NTLM proxy authentication (where both username, password is sent to the proxy server which does the actual NTLM authentication with the Active Directory.)
What I need is a solution in Java where I can directly contact Active directory for negotiation of challenge/response mechanism.
Can any of you guys suggest any alternative to achieve this ?

it really depends to be honest. I'd probably go something like this though:
One Small physical server to act as a domain controller - you could put DHCP on this too
One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined.
Then for your VM's create the following:
1 x additional domain controller
For remote desktop services:
1 x Remote Desktop Session Host
1 x Connection Broker
1 x Gateway and web server
For additional services
1 or 2 x Exchange
1 x sharepoint
1 x IIS
but it really depends what you want to achieve.
The benefit from Virtual machines is that you can keep separate virtual servers for separate applications.
If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance.
Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:

OSB NTLM authentication

Hi.
I'm looking for any example to create a passthrougth proxy service on a business service based on an endpoint HTTP that requires basic authentication plus NTLM domain.
I haven't OWSM on this OSB.
TIA
Corrado

Corrado,
FYI, NTLM is no longer recommended -
http://msdn.microsoft.com/en-us/library/cc236715.aspx
http://en.wikipedia.org/wiki/NTLM
Now coming to your question, OSB does not support NTLM authentication mechanism. As a workaround, you may write a java client that can support NTLM authentication over HTTP and then use this as a java callout in your proxy. You may pass the incoming authentication info to the java callout which may perform the further work (authentication and service invoke)
Regards,
Anuj

Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

I have an existing application that I developed on a Windows machine using CS5. It uses a local intranet web service written in .NET using NTLM authentication. The web service does multiple things such as read data from an SQL database, provide the user's username, and test for write/read access to a local company fileshare. When my company upgraded, I went to a Mac with Flash CC which is great. However, Mac's don't handle HTTP Authorization Challenge Blocks like Windows machines. In Safari, Chrome, etc. it will pop up a little username and password box and proceed on without issue. The issue is in Flash development. When running the exact same application in Flash testing all script access fails with HTTP Status 401 errors. I have searched the AS3 documentation, but the only thing built in to handle http challenge requests is in AIR not Flash. The server admin's and I have tried all method's of cross domain policy files and access changes with no luck at all. Does anyone have a solution to this issue?

Did you check Apple Support Boot Camp article?
iMac displays a black screen during installation of Windows 7
http://www.apple.com/support/bootcamp/
Installation Guide
Instructions for all features and settings.
Boot Camp FAQGet answers to commonly asked Boot Camp questions.
Windows 7 FAQAnswers to commonly asked Windows 7 questions.

NTLM Authentication

We are trying to setup NTLM authentication Uing IIS proxy on IIS 5 and EP6. We have got the IISproxy module working but having problems after changing the authschemes.xml.
Heres my XML file
======================================================
<?xml version="1.0" encoding="UTF-8"?>


<document>
     <authschemes>
        
        <authscheme name="ntlmuidpw">
            
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.WindowsLoginModule</loginModuleName>
                <controlFlag>SUFFICIENT</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                
                <controlFlag>REQUISITE</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
            <priority>20</priority>
            
            <frontendtype>2</frontendtype>
            
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
     <authschemes>
        
        <authscheme name="uidpwdlogon">
            
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                <controlFlag>SUFFICIENT</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                
                <controlFlag>REQUISITE</controlFlag>
                <options></options>
            </loginmodule>
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.CertPersisterLoginModule</loginModuleName>
                <controlFlag>OPTIONAL</controlFlag>
                <options></options>
            </loginmodule>
            <priority>20</priority>
            
            <frontendtype>2</frontendtype>
            
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        <authscheme name="certlogon">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.CertLoginModule</loginModuleName>
                <controlFlag>REQUISITE</controlFlag>
                <options></options>
            </loginmodule>
            <priority>21</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
        </authscheme>
        <authscheme name="basicauthentication">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>
                <controlFlag>REQUIRED</controlFlag>
                <options></options>
            </loginmodule>
            <priority>20</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.basicauthentication</frontendtarget>
        </authscheme>
        <authscheme name="header">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.HeaderVariableLoginModule</loginModuleName>
                <controlFlag>OPTIONAL</controlFlag>
                <options>Header=remote-user</options>
            </loginmodule>
            <priority>5</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.header</frontendtarget>
        </authscheme>
        <authscheme name="guest">
            <loginmodule>
                <loginModuleName>com.sap.security.core.logon.imp.AnonymousLoginModule</loginModuleName>
                <controlFlag>OPTIONAL</controlFlag>
                <options></options>
            </loginmodule>
            <priority>1</priority>
            <frontendtype>2</frontendtype>
            <frontendtarget>com.sap.portal.runtime.logon.anonymous</frontendtarget>
        </authscheme>
        
        <authscheme name="anonymous">
            <priority>-1</priority>
        </authscheme>
    </authschemes>
    
<authscheme-refs>
<authscheme-ref name="default">
<authscheme>ntlmuidpw</authscheme>
</authscheme-ref>
</authscheme-refs>
</document>
=============================================================
</CODE>
I get the following error when I try to go to the portal:
=========================================================
Fatal           Error in isAuthSch
emeSufficient().
java.lang.NullPointerException
        at com.sapportals.portal.prt.service.authenticationservice.Authenticatio
nService.isAuthSchemeSufficient(AuthenticationService.java:155)
        at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook
(SecurityHookService.java:194)
        at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook
.java:202)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:138)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:50)
        at com.sapportals.portal.prt.pom.PortalNode.createComponentNode(PortalNo
de.java:263)
        at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(P
ortalRequestManager.java:545)
        at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(
ServletConnection.java:208)
        at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatc
her.java:532)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.ja
va:415)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.InvokerServlet.service(Invoker
Servlet.java:126)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.RunServlet.runSerlvet(RunServl
et.java:149)
        at com.inqmy.services.servlets_jsp.server.ServletsAndJspImpl.startServle
t(ServletsAndJspImpl.java:833)
        at com.inqmy.services.httpserver.server.RequestAnalizer.checkFilename(Re
questAnalizer.java:665)
        at com.inqmy.services.httpserver.server.RequestAnalizer.handle(RequestAn
alizer.java:312)
        at com.inqmy.services.httpserver.server.Response.handle(Response.java:17
3)
        at com.inqmy.services.httpserver.server.HttpServerFrame.request(HttpServ
erFrame.java:1229)
        at com.inqmy.core.service.context.container.session.ApplicationSessionMe
ssageListener.process(ApplicationSessionMessageListener.java:36)
        at com.inqmy.core.cluster.impl5.ParserRunner.run(ParserRunner.java:55)
        at com.inqmy.core.thread.impl0.ActionObject.run(ActionObject.java:46)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.inqmy.core.thread.impl0.SingleThread.run(SingleThread.java:148)
Feb 3, 2005 5:18:07 PM # Client_Thread_1      Fatal           An error occured d
uring authscheme computation.
java.lang.NullPointerException
        at com.sapportals.portal.prt.service.authenticationservice.Authenticatio
nService.getLogonIView(AuthenticationService.java:190)
        at com.sapportals.portal.prt.service.hook.SecurityHookService.doNodeHook
(SecurityHookService.java:216)
        at com.sapportals.portal.prt.connection.PortalHook.doNodeHook(PortalHook
.java:202)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:138)
        at com.sapportals.portal.prt.pom.factory.ComponentNodeFactory.newInstanc
e(ComponentNodeFactory.java:50)
        at com.sapportals.portal.prt.pom.PortalNode.createComponentNode(PortalNo
de.java:263)
        at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(P
ortalRequestManager.java:545)
        at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(
ServletConnection.java:208)
        at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatc
her.java:532)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.ja
va:415)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.InvokerServlet.service(Invoker
Servlet.java:126)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at com.inqmy.services.servlets_jsp.server.RunServlet.runSerlvet(RunServl
et.java:149)
        at com.inqmy.services.servlets_jsp.server.ServletsAndJspImpl.startServle
t(ServletsAndJspImpl.java:833)
        at com.inqmy.services.httpserver.server.RequestAnalizer.checkFilename(Re
questAnalizer.java:665)
        at com.inqmy.services.httpserver.server.RequestAnalizer.handle(RequestAn
alizer.java:312)
        at com.inqmy.services.httpserver.server.Response.handle(Response.java:17
3)
        at com.inqmy.services.httpserver.server.HttpServerFrame.request(HttpServ
erFrame.java:1229)
        at com.inqmy.core.service.context.container.session.ApplicationSessionMe
ssageListener.process(ApplicationSessionMessageListener.java:36)
        at com.inqmy.core.cluster.impl5.ParserRunner.run(ParserRunner.java:55)
        at com.inqmy.core.thread.impl0.ActionObject.run(ActionObject.java:46)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.inqmy.core.thread.impl0.SingleThread.run(SingleThread.java:148)
=========================================================
Please Help

Hi,
The authscheme you have provided is not valid xml
End tag 'authscheme' does not match the start tag 'loginmodule'. Error processing resource
</authscheme>
--^"
<authscheme name="ntlmuidpw">

<loginmodule>
<loginModuleName>com.sap.security.core.logon.imp.WindowsLoginModule</loginModuleName>
<controlFlag>SUFFICIENT</controlFlag>
<options></options>
</loginmodule>
<loginmodule>
<loginModuleName>com.sap.security.core.logon.imp.DefaultLoginModule</loginModuleName>

<controlFlag>REQUISITE</controlFlag>
<options></options>
</loginmodule>
REMOVE THIS LINE<loginmodule>
<priority>20</priority>

<frontendtype>2</frontendtype>

<frontendtarget>com.sap.portal.runtime.logon.certlogon</frontendtarget>
</authscheme>
If this is just a copy/paste error, include the exact version of you portal.

NTLM authentication fails to connect using webdav on osX

We are having problems in our organization getting our macs connected via webdav using NTLM authentication.
Our structure is as follows:
Netapp/IBM nSeries gateway/filer model n6040 which is our FTP/CIFS/Webdav host.
Windows Server 2008 R2 Domain Controller with Active Directory
Windows 7, Mac osX clients (various versions).
From the windows side, we are able to connect to our filer via FTP, CIFS, and http/Webdav after we authenticate using our AD credentials. From the Mac side, we can authenticate and connect to our filer using FTP, CIFS (using Connect to Server "smb://ourfiler.com") and through a browser using the address of http://ourfiler.com. This type of connection using webdav works with Firefox but not using Safari or Chrome but isn't adequate enough for our users since the browser based connection is read only. However, when we try to Connect to Server via webdav using our server address of http://ourfiler.com:80, we never get past the "Enter your name and password for the server "ourfiler.com."
We tried a third party webdav client on our macs: Cyberduck, which also fails to connect using webdav. We also tried a separate linux client and were able to connect without any problems.
Since authetication for webdav works on windows and linux, we're thinking there is problem with osX itself. Has anyone else had this problem or can anyone suggest any workarounds/solutions?

Sorry for the late replies gentleman... for some reason I didn't get email alerts when you guys posted....
Anyways, yes the DC is on a different subnet and no we don't have WINS. The way I understand it is the client will contact the master browser in it's local subnet... all the master browsers in all other subnets contacts the Domain master browser ...
and they share the server list this way... I mean it's a little more complicated than that....well to me at least...
Can you try resolving the short name with the domain controller being on another subnet and you having a different master browser in your client subnet?
What is the process the client goes thru when looking up Domain netbios name? LIke for DNS, it's straight forward... the client looks at DNS server, then for the SRV records for the Site the client is in and get's domain controller....... How
does this work for netbios domain name? There is NO WINS in the environment.
Chau

WLS 10.3.3 - Web service - NTLM authentication

Hi,
We have generated web service proxy based on a wsld file for a .Net web service secured with NTLM authentication.
Running the code that connects to the web service from a java class main method works fine, but when running the same code from a web application deployed on weblogic server (we have tried both integrated and standalone) we get the following error: com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized.
Is there something that we should set in weblogic?
Regards,
Delia

Delia,
We had exactly the same issue and it took ages to resolve! Oracle didn't have a solution so I knuckled down and eventually worked out a solution...
When running your JAR under WLS you may have noticed that the exception looks like this:
java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://+your.domain.here+/default.aspx'
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
Notice that it is not using the java.net.HttpURLConnection as you might have expected (and your Java code explicitly imports!), rather it employs weblogic.net.http.HttpURLConnection and there lies the rub.
As it turns out, it is easy to have your code force the use of the handler you desire.
Instead of:
HttpURLConnection http = (HttpURLConnection) new URL(+yourURL+).openConnection();
Use:
URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
HttpURLConnection http = (HttpURLConnection) url.openConnection();
Regards,
Jerome

Http method not recognized and ntlm authentication

Does anybody know why ips signatures fire on ntlm authentication proxy? In our environment we have ISA 2004 and the ips is complaining about http not in rfc specs and http not recognized. Is it possible that ips does not understand ntlm proxy authentication?

These signatures are policy enforcement signatures. They are firing because the AIC engine has determined that the NTLM proxy application is running a non-web http based protocol on a web port. That will trigger 12674. 12676 is triggered when there is an HTTP request method being seen that is not in the list of acceptable HTTP request methods (listed in 12676 config). Currently, the method list should be considered static, even though it appears that you can add to this list, there are known issues that make updating it unreliable.
I'd look at the alarms to see if either the attacker or victim address is constant. I'm not sure how it will fire, but if one side is consistently the ISA system, then you can probably implement an alarm channel filter to keep those two signatures from firing with the ISA as the attacker/victim. Personally, I'd consider disabling the signatures since they are not compatible with your network policy.
WRT to tuning 12676, the entire AIC engine is being actively worked on to improve its robustness and functionality, though no specific release vehicle has been determined--yet.

Setting up NTLM authentication

Hi,
I have a j2ee component deployed, I want to use NTLM authentication for logon,
can some one explain how to Configure NTLM and use it.
Regards
Abhijith YS

Hi
It Requires some NTLM Proxy modules which contains iisproxy.xml and other files which sap is no longer providing, so I dont think this method can be used.
Regards
Abhijith YS

Adobe Flash NTLM Authentication Issue

This problem is having a major impact for many users in my account.
The users are testing streaming course ware delivery over the Internet and also hitting the proxy re-login prompt.
The problem with them is that after re-logging in the course restarts at the beginning.
So it is not a fit for purpose environment for this application currently.
The same problem occurs for companies webcast through Internet.
Recent test with the users have confirm the issue occurs using the following version of flash:
Adobe Flash Player ActiveX 11.1.102.55
Adobe Flash Player ActiveX 11.1.102.62
The Shockwave Flash NTLM authentication issue is characterised by the following packet sequence: WS sends Request to Server. Server closes the TCP connection without a response to the request. The WS establishes a new TCP connection and resend the request with previous NTLM Authentication details (ie does not go through the correct NTLM handshake for proxy authentication failure and the browser to pop for user credentials.
When the above occurs,
NTLM authentication screen popup up, entering credential again didn’t resume video. I had to reload the page to resume video from the beginning.
No popup, but the video resumes from the beginning when there was a prolonged delay.
The problem occurs on Windows XP SP3 with IE7 or IE8 with Flash Player 11.1.102.62
Is the problem a known issue with Adobe Flash Player ?

Hello,
The bug report states can not reproduce. I understand the problem and am happy to help Adobe understand if they want to email me and organise a webex.
The problem is associated with the way IE handles NTLM on a new connection. When performing a POST request, it will make two requests: the first contains a type1 NTLM token and no body, and the second will contain the type 3 token and the body. It does this because it expects to perform NTLM authentication as NTLM is connection not session based, and hence for efficiency, it doesn't send the POST body on the first request (knowing a second request will be required).
The POST request initiated by the Flash application is only made once, so it presents a POST request and no body with the type 1 token to the web server (ie IIS, or some Java implementation such as SSO Plugin), and does not make a second request with a type 3 token and the body. It gives up and automatically prompts the user for a username/password, which is the wrong behaviour when the browser is in the Local Intranet zone and the web server responded with a type 2 token.
I can reproduce this easily and it is a serious bug: it means that any Flash application that is accessed via Integrated Windows Authentication and IE will fail when trying to make a POST request, such as uploading a file from the user.
John
SSO Plugin for BMC, HP and more.
http://www.javasystemsolutions.com/jss/ssoplugin

Safari proxy NTLM authentication on Lion

Similar Messages

Maybe you are looking for