GNOME Bugzilla – Bug 302183
Unable to login to OWA due to incorrect domain in NTLM authentication
Last modified: 2005-06-08 15:09:03 UTC
Please describe the problem: Attempts to setup a new Exchange account fail with "authentication failed". I am using a http://exchangeserver.example.com/exchange/ URL and a DOMAINNAME\USERNAME username. I was able to sniff HTTP traffic and track the problem down to an incorrect domain being passed inside NTLM authentication header. Steps to reproduce: This information was obtained using Ethereal which is able to show details of NTLM headers on non-SSL URLs. Using a regular browser, I am able to login to OWA using "DOMAINNAME\USERNAME" as my username and Ethereal shows: Domain name: DOMAINNAME User name: USERNAME While recording same traffic from Evolution, using same "DOMAINNAME\USERNAME" as my username, Ethereal shows: Domain name: DOMAINNAME\USERNAME User name: USERNAME so it appears that username is being inadvertently passed inside "domain name" field of NTLM. Actual results: Authentication fails, unable to establish account. Expected results: Does this happen every time? Yes. Have tried various combinations for my username withou success. Problem persists on both HTTP and HTTPS URL's. Other information: Evolution 2.2.2 on Fedora Core 4 dev, evolution-connector 2.2.0 and 2.2.2 Observed both in account wizard from within Evolution and in /usr/bin/ximian-connector-setup.
I was faced with this same problem, and I verified what was being sent to the server with Ethereal, like you did. I changed the authentication to Plaintext and it worked, but that isn't acceptable. In order to get "Secure" authentication, I had to remove the domain extension of the user name. There appears to be a second try in the authentication algorithm that will then try with the discovered domain name, and the simnple user name, which works. I again switched back to plaintext to verify that it still works. Perhaps the code for handling the user name needs to detect domain-extended user names (in case the user's email account is in a different domain than their workstation), and override the discovered domain name with whatever the user specifies. Then all cases would work. I'm using Evolution 2.2.1-1, and connector 2.2.1.
I'm having the same problem, but since I'm in a multi-domain environment, the default domain doesn't work for me (it's different from the one it should be) ... I can see while sniffing browser traffic, setting the domain to NULL works, but how can this be achieved in the code ?
Hi, I've been further tracing the problem, and I think this bug should be reclassified for the libsoup product ... in "soup-connection-ntlm.c" static void ntlm_authorize_pre (SoupMessage *msg, gpointer user_data) { --- char* slashagain; --- slash = strpbrk (domain_username, "\\/"); if (slash) { g_free (domain); domain = g_strdup (domain_username); // add the following 2 lines to remove the username from the doamin var !! slashagain = strpbrk (domain, "\\/"); slashagain[0]='\0'; // username = slash + 1; } else username = domain_username; Greetz, Jeroen
*** This bug has been marked as a duplicate of 306877 ***