NTLM does not work with IPv6

Aug 5, 2011 at 1:03 PM

I can not login with IPv6 and NTLM.

It work with IPv4 with NTLM an Basic authentication. It work with IPv6 and Basic authentication. I can reproduce the problem with Safari, Firefox and IE. To test it with IPv6 I have enter the IPv6 address in the address bar. Only the Safari browser use IPv6 also if you enter localhost.

Do you have any idea?

Volker

 

Here are the server log:

Aug 05, 2011 2:51:36 PM waffle.servlet.NegotiateSecurityFilter doFilter
Information: GET null, contentlength: 0
Aug 05, 2011 2:51:36 PM waffle.servlet.NegotiateSecurityFilter doFilter
Information: authorization required

=== hash2:26110244 26110244
Aug 05, 2011 2:52:09 PM waffle.servlet.NegotiateSecurityFilter doFilter
Information: GET /remote/, contentlength: -1
Aug 05, 2011 2:52:09 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
Information: security package: NTLM, connection id: fe80:0:0:0:753d:f544:223b:112c%9:58470
Aug 05, 2011 2:52:09 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
Information: token buffer: 40 byte(s)

Aug 05, 2011 2:52:09 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
Information: continue token: TlRMTVNTUAACAAAAGAAYADgAAAAFgomikYQB/A/i87EAAAAAAAAAALYAtgBQAAAABgByFwAAAA9JAE4ARQBUAFMATwBGAFQAVwBBAFIARQACABgASQBOAEUAVABTAE8ARgBUAFcAQQBSAEUAAQAGAFYAQgA0AAQAJABpAG4AZQB0AHMAbwBmAHQAdwBhAHIAZQAuAGwAbwBjAGEAbAADACwAVgBCADQALgBpAG4AZQB0AHMAbwBmAHQAdwBhAHIAZQAuAGwAbwBjAGEAbAAFACQAaQBuAGUAdABzAG8AZgB0AHcAYQByAGUALgBsAG8AYwBhAGwABwAIADIeI31uU8wBAAAAAA==
Aug 05, 2011 2:52:09 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
Information: continue required: true

Aug 05, 2011 2:52:09 PM waffle.servlet.NegotiateSecurityFilter doFilter
Information: GET /remote/, contentlength: -1
=== hash2:26110244 26110244
Aug 05, 2011 2:52:09 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
Information: security package: NTLM, connection id: fe80:0:0:0:753d:f544:223b:112c%9:58470
Aug 05, 2011 2:52:09 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
Information: token buffer: 448 byte(s)
Aug 05, 2011 2:52:09 PM waffle.servlet.NegotiateSecurityFilter doFilter
Warnung: error logging in user: Der Anmeldeversuch ist fehlgeschlagen.

Coordinator
Aug 6, 2011 at 11:23 PM

This error is 0x8009030c, logon attempt failed. This can mean anything, so I would enable Kerberos logging and see if I can get anything better out of this. Does Negotiate work with IIS with this IPv6 environment, maybe it's not even supposed to?

Aug 8, 2011 at 12:41 PM

With IIS it work with IPv6. Do you can reproduce it? What do you means with Kerberos logging?

Coordinator
Aug 8, 2011 at 2:48 PM

I've never tried this and I don't have an IPv6 network to try. So you're on your own. See these (from the faq page).

Troubleshooting Kerberos

Troubleshooting NTLM

Aug 12, 2011 at 9:27 AM

Sorry for the delay in answering.

  • The first link does not produce any events. I think it because I use NTLM
  • The second is a large document and I does not know where I should start.
  • The last is only for Window 7 but I have Vista.

Do you have no Window 7, Vista or Windows 2008 computer? All this OS have installed IPv6 by default.

The problem is not a general problem with all IPv6 addresses. It work with [::1] and with the public address.

It does not work only with the Link Local Unicast address which start with fe80. The difference is the slot index (percent + number).

You can see it in the connection id in the log. Can this be the problem? Which impact has the IP of the underlying socket connection for WAFFLE?

Aug 16, 2011 at 11:37 AM

Do you have any news on this problem? The only hack that we found is a redirect to a localhost IP address (127.0.0.1 or ::1).

I does not understand what the ip address of the transport channel has to do with the authentication.

Coordinator
Aug 16, 2011 at 12:01 PM

Because Kerberos has a concept of SPN (server principal name) which helps prevent man-in-the-middle attacks. If example.com is not really example.com, you don't want to send a ticket to it.

Aug 16, 2011 at 2:08 PM

But this is a NTLM problem. My understanding is that NTLM does not prevent a man in the middle. If I look in the different tokens then I can not see any information that is IP related. I see only the host name.

Coordinator
Aug 16, 2011 at 2:47 PM

You're probably right. But I really don't know much about the actual protocol and why it would fail.