Will NTLM authentication ever work?

Discussion:

Gary Mills

2004-01-07 20:28:08 UTC

I'm using SASL 2.1.15 CVS 2003-07-25 with Cyrus IMAP. I did a test
with Outlook Express 6 on Windows 2000 by selecting `secure password
authentication'. I was logged in with the correct account. OE6 kept
prompting me for my username and password, which I supplied. The IMAP
log looked like this:

Jan 4 19:27:11 electra imapd[26747]: [ID 824502 local6.notice] badlogin: [24.76.17.66] NTLM [SASL(-13): authentication failure: incorrect NTLM responses]
Jan 4 19:27:19 electra imapd[26747]: [ID 824502 local6.notice] badlogin: [24.76.17.66] NTLM [SASL(-13): authentication failure: incorrect NTLM responses]

This apparently means that my username or password was incorrect.
The code in ntlm.c seems to do the comparison correctly. Which secret
in sasldb2 is supposed to be used for this? I seem to have a whole
bunch: cmusaslsecretPLAIN cmusaslsecretDIGEST-MD5 cmusaslsecretCRAM-MD5
userPassword. Am I perhaps missing some configuration setting for NTLM?
SASL was built like this:

env LDFLAGS="-R/usr/local/lib" \
CC=cc \
./configure \
--localstatedir=/var/run \
--with-dblib=berkeley \
--with-bdb-libdir=/usr/local/src/db/db-3.1.17/build_unix \
--with-bdb-incdir=/usr/local/src/db/db-3.1.17/build_unix \
--with-saslauthd=/var/run/saslauthd \
--with-ipctype=doors \
--disable-checkapop \
--with-openssl=/usr/local/src/OpenSSL/openssl-0.9.6h \
--disable-otp \
--enable-login \
--enable-ntlm \
--disable-krb4 \
--disable-gssapi

It works for other mechanisms.

--
Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

Andreas

2004-01-07 20:50:07 UTC

Permalink

Post by Gary Mills
I'm using SASL 2.1.15 CVS 2003-07-25 with Cyrus IMAP. I did a test
with Outlook Express 6 on Windows 2000 by selecting `secure password
authentication'. I was logged in with the correct account. OE6 kept

I also had problems with this, but, first of all, does the imtest program
work with ntlm?

Gary Mills

2004-01-07 23:16:08 UTC

Permalink

Post by Andreas

I also had problems with this, but, first of all, does the imtest program
work with ntlm?

Thanks for the suggestion. Yes, it works with imtest...

# ./imtest -m ntlm -a mills localhost
S: * OK cc.umanitoba.ca Cyrus IMAP4 v2.1.14 server ready
C: C01 CAPABILITY
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDPLUS ID NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=NTLM AUTH=DIGEST-MD5 AUTH=CRAM-MD5
S: C01 OK Completed
C: A01 AUTHENTICATE NTLM
S: +
C: Tl...
S: + Tl...
Please enter your password:
C: Tl...
S: A01 OK Success (no protection)
Authenticated.
Security strength factor: 0
. logout
* BYE LOGOUT received
. OK Completed
Connection closed.

Here's some snoop output from my NAT router when I tested it with
Windows 2K the other day...

amore -> electra.cc.umanitoba.ca IMAP C port=1044
electra.cc.umanitoba.ca -> amore IMAP R port=1044
amore -> electra.cc.umanitoba.ca IMAP C port=1044
electra.cc.umanitoba.ca -> amore IMAP R port=1044 * OK cc.umanitoba.ca
amore -> electra.cc.umanitoba.ca IMAP C port=1044 000J CAPABILITY\r\n
electra.cc.umanitoba.ca -> amore IMAP R port=1044
electra.cc.umanitoba.ca -> amore IMAP R port=1044 * CAPABILITY IMAP4 I
amore -> electra.cc.umanitoba.ca IMAP C port=1044 000K AUTHENTICATE NT
electra.cc.umanitoba.ca -> amore IMAP R port=1044
amore -> electra.cc.umanitoba.ca IMAP C port=1044 Tl...
electra.cc.umanitoba.ca -> amore IMAP R port=1044 + Tl...
amore -> electra.cc.umanitoba.ca IMAP C port=1044 Tl...
electra.cc.umanitoba.ca -> amore IMAP R port=1044
electra.cc.umanitoba.ca -> amore IMAP R port=1044 000K NO authenticati

It looks similar to me.

--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-

Ken Murchison

2004-01-07 20:50:58 UTC

Permalink

Post by Gary Mills
I'm using SASL 2.1.15 CVS 2003-07-25 with Cyrus IMAP. I did a test

You should upgrade to 2.1.17. I made a lot of changed since 2.1.15,
including support for NTLMv2 responses, which may be your problem. Of
course, I thought you had to change a registry setting in order to have
Win32 boxes use NTLMv2 responses.

I just tested 2.1.17 with OE 6 on my Win2k box (again) and it worked fine.

Post by Gary Mills
with Outlook Express 6 on Windows 2000 by selecting `secure password
authentication'. I was logged in with the correct account. OE6 kept
prompting me for my username and password, which I supplied. The IMAP
Jan 4 19:27:11 electra imapd[26747]: [ID 824502 local6.notice] badlogin: [24.76.17.66] NTLM [SASL(-13): authentication failure: incorrect NTLM responses]
Jan 4 19:27:19 electra imapd[26747]: [ID 824502 local6.notice] badlogin: [24.76.17.66] NTLM [SASL(-13): authentication failure: incorrect NTLM responses]
This apparently means that my username or password was incorrect.
The code in ntlm.c seems to do the comparison correctly. Which secret
in sasldb2 is supposed to be used for this? I seem to have a whole
bunch: cmusaslsecretPLAIN cmusaslsecretDIGEST-MD5 cmusaslsecretCRAM-MD5
userPassword.

It uses userPassword. The other secrets should be been automatically
removed once userPassword was set.

--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp

Gary Mills

2004-05-24 01:55:13 UTC

Permalink

Post by Ken Murchison

Post by Gary Mills
I'm using SASL 2.1.15 CVS 2003-07-25 with Cyrus IMAP. I did a test

You should upgrade to 2.1.17. I made a lot of changed since 2.1.15,
including support for NTLMv2 responses, which may be your problem. Of
course, I thought you had to change a registry setting in order to have
Win32 boxes use NTLMv2 responses.
I just tested 2.1.17 with OE 6 on my Win2k box (again) and it worked fine.

Yes, indeed. I just upgraded to 2.1.18, and NTLM authentication
has started working with OE. That will be nicer for users who
accidentally select `use secure password authentication'.

--
-Gary Mills- -Unix Support- -U of M Academic Computing and Networking-