Closed smidt closed 6 years ago
I thought NTLM was already there. @danimo Didn't this get a fix a while ago?
No, only in Qt for the IL branch. @guruz knows more.
Ok. Good to know. Thanks.
Note: Kerberos via Negotiate is a different topic alltogether:
roger that. Note: Made NTLM feature request.
Is this issue about proxy support? if yes please change the topic.
Negotiate
doesn't matter since all proxies seem to support NTLM
too. The NTLM proxy fix will be Qt 5.3.2 or Qt 5.3.3 https://codereview.qt-project.org/#/c/91285/
or earlier if we decide to pick anything into "our" Qt for the owncloud client.
No it is not about proxy support. It is a feature request for the client. But what do you mean by "if we decide to pick anything into "our" Qt for the owncloud client"?
No it is not about proxy support. It is a feature request for the client.
This is not primarily a client bug. It's the server that only offers basic auth. Once it offers more, that's easy to support for us. Please file a respective bug in the core component.
But what do you mean by "if we decide to pick anything into "our" Qt for the owncloud client"?
For Windows, we keep patches on top of Qt and build it ourselves, so we can be flexible.
Ok, i opened an issue at owncloud/core#10682
pushed out to at least 2.4.0
Another up vote for GSSAPI based Kerberos Authentication. It should be coded such that both the Desktop Sync Client, and FireFox with support, can use GSSAPI Kerberos.
Some terminology: ADFS 2.0 (and 3.0) supports multiple authentication types:
Currently, the desktop client only supports FBA and Basic authentication (correct me if I am wrong). In ADFS scenarios this requires adding "Gecko" to the list of WIA supported user agents.
With 9.1 the server supports 2FA and AFAIK the plan is to always use a browser based login for all clients (desktop and mobile) to aquire a device specific token.
Since the client will always open a browser window additional authentication types remain an important feature. Actuall, looking at the above list of authentication types there are two tasks:
@guruz what type exists in the branch mentioned in https://github.com/owncloud/client/issues/2111#issuecomment-53543982
@danimo what is the status of NTLM? I only found http://doc.qt.io/qt-5/qauthenticator.html#ntlm-version-2 Doesn't that mean we can support IWA via NTLMv2? Debugging ADFS and mod_shib reveals that ADFS will request Kerberos auth by sending the WWW-Authenticate: Negotiate
header. I never saw WWW-Authenticate: NTLM
:( Answering myself ... we kind of need kerberos: https://community.dynamics.com/crm/f/117/t/165603
Also https://codereview.qt-project.org/#/c/91285/ has been merged.
About NTLM Qt side: https://codereview.qt-project.org/#/c/91285/ was a fix for proxy authorization. Web server auth (Your WWW-Authenticate
) should already work?
NTLM server side: Just googled https://gist.github.com/JosefJezek/5748211 by @JosefJezek
Kerberos Qt side: Yeah I guess we'd need https://bugreports.qt.io/browse/QTBUG-1538 .. (@peter-ha and @richmoore might know more
About Kerberos server side: This might be an interesting comment for the server side: https://github.com/owncloud/core/issues/10682#issuecomment-226495676 (not sure if this can integrate with Windows, maybe via Samba?).
FYI @ChristophWurst about 2factor comments.
Kerberos is a tiny bit complicated with Apache, FireFox, Samba, and Linux. In the past, Kerberos has been a stand in for Negotiate Authentication for Apache and FireFox. As long as DNS was working right, you could use MIT or Heimdal Kerberos to use Negotiate Authentication in place of Basic Authentication. It was actually Apache and FireFox doing the Authentication, and passing the results on to whatever Nagios/eGroupware/OwnCloud wanted. In FireFox, the server had to be listed as a Trusted URI.
This broke the typical Forms based Login page these applications normally used. If the Kerberos Authentication failed, the server could deny Authentication completely, or fall back to Basic Authentication, it couldn't route back to Forms based Auth.
with Samba 4.x, Samba 4.x is just a Heimdal Kerberos KDC to Apache and FireFox. Treat it accordingly.
We have upgraded version of Qt now, maybe this should work. Please re-open if this still does not work with recent version of the client and and this is still something we need.
With OAuth 2.0, only the default web browser needs to support Kerberos. Clients are authorised using OAuth 2.0.
It would be nice to get NTLM or Kerberos support for the client.