Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attached file with ie 11 #196

Closed
Kubik-a opened this issue Oct 22, 2015 · 35 comments
Closed

Attached file with ie 11 #196

Kubik-a opened this issue Oct 22, 2015 · 35 comments
Labels

Comments

@Kubik-a
Copy link

Kubik-a commented Oct 22, 2015

Hello,
There is a bug with ie11, it's impossible to add a file in a ticket.

@orthagh
Copy link
Contributor

orthagh commented Oct 22, 2015

Please, indicate your version of glpi and logs (dev tools of your browser - F12, glpi/files/_logs/*.log).
Screenshots could help.

I close for the moment, re-open with precisions

@orthagh orthagh closed this as completed Oct 22, 2015
@Kubik-a
Copy link
Author

Kubik-a commented Oct 22, 2015

Hello,
The version of GLPI is 0.90 but with the 0.85.4 it doesn't work too.
The problem is only with internet explorer 11 , when i use enterprise mode of IE11 it works and with other bowser like chrome there is no problem.
glpipb

@orthagh orthagh reopened this Oct 22, 2015
@orthagh
Copy link
Contributor

orthagh commented Oct 22, 2015

Do you have some logs in glpi/files/_logs ?

or in apache log ?

@Kubik-a
Copy link
Author

Kubik-a commented Oct 22, 2015

There is no log for this problem in the GLPI directory
In Apache log : "POST /glpi/front/fileupload.php?name=filename&showfilesize=1 HTTP/1.1" 401 487

@orthagh
Copy link
Contributor

orthagh commented Oct 22, 2015

What behavior do you use to "upload" your image ?

@orthagh
Copy link
Contributor

orthagh commented Oct 22, 2015

In my case (on the last IE11)
upload returns 200.
I think error is server side, apache error log should contains hints

image

@Kubik-a
Copy link
Author

Kubik-a commented Oct 22, 2015

Yes when i try with GLPI in localhost it works. And there is nothing in Apache error log.
I use Drag and Drog and choose file, both doesn"t work.
And with other browser there is no problem...

@Kubik-a
Copy link
Author

Kubik-a commented Nov 2, 2015

Voici un sujet qui parle du même problème.

http://forum.glpi-project.org/viewtopic.php?id=51564

@orthagh
Copy link
Contributor

orthagh commented Nov 10, 2015

Found several links on google who reproduces the issue on another softwares (and with the same plugin for upload) :

This seems to be a problem in Internet Explorer and KB2962872

To be sure, do you ntml authentication on your instance ?

@Kubik-a
Copy link
Author

Kubik-a commented Nov 13, 2015

We use LDAP connection.

@orthagh
Copy link
Contributor

orthagh commented Nov 17, 2015

and NTLM auto-logon ?

@Kubik-a
Copy link
Author

Kubik-a commented Nov 17, 2015

Yes we have NTLM auto-logon. I configure GLPI for SSO

@orthagh
Copy link
Contributor

orthagh commented Nov 17, 2015

a kb description who seems fix this issue :
https://support.microsoft.com/en-us/kb/2980019

Can you confirm you have :

  • KB2962872 installed
  • KB2980019 not installed

@orthagh
Copy link
Contributor

orthagh commented Nov 17, 2015

erf, that kb seems to apply only for IE10...

@Kubik-a
Copy link
Author

Kubik-a commented Nov 18, 2015

So we have to wait for a Microsoft corrective ?

@orthagh
Copy link
Contributor

orthagh commented Nov 19, 2015

I just tested with an ntlm environment (apache+winbind) with IE11
I reproduced the issue with my ie11 and found a small fix to avoid it:
in your apache vhost, add these lines :

<location /front/fileupload.php>
   Satisfy Any
</location>

Not sure about the security of this, but it seems working

@Kubik-a
Copy link
Author

Kubik-a commented Feb 11, 2016

Hello,
The solution doesn't work :( Do you have some news about this problem ?
I don"t know if i put this directive in the good location, i'm not an expert of Apache.

@tomolimo
Copy link
Contributor

Look at this post and read from the following comment, you should be able to find a solution:
#329 (comment)

@Kubik-a
Copy link
Author

Kubik-a commented Feb 11, 2016

Ok thank you , Does the registry key can cause connection problems with software like SharePoint ?

@tomolimo
Copy link
Contributor

We have Sharepoint 2007 (in fact MOSS 2007) and I do not notice any problem with it as NTLM is still working. The registry key only disables pre-fetch-authentication which is a mechanism used by IE (and only IE) to from time to time sends NTLM authentication to server (as soon as one page as been using NTLM).
If the whole site is using NTLM, it will be used without any troubles.
But the main advantage is that IE will not send NTLM requests to GLPI server during ajax file uploads.
regards,
Tomolimo

@Kubik-a
Copy link
Author

Kubik-a commented Feb 11, 2016

I check in httpd.conf and i have those directive, it's not NTLM like in the other post but SSPI ( it's a windows server )

<Directory "d:/wamp/www/glpi">
AuthName "Accès restreint"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
require valid-user

@tomolimo
Copy link
Contributor

SSPI is using NTLM

@tomolimo
Copy link
Contributor

We are using Windows servers too.
But IIS and not Apache.

@tomolimo
Copy link
Contributor

Hello,

You may have a look into these docs:
"SSPI definition": https://msdn.microsoft.com/en-us/library/windows/desktop/aa380493%28v=vs.85%29.aspx
"SSPI packages provided by Microsoft": https://msdn.microsoft.com/en-us/library/windows/desktop/aa380502%28v=vs.85%29.aspx
NTLM is in the list: means SSPI is an API (application programming interface) and NTLM is one of the protocols used for authentication (Kerberos is another,...).
The Apache module you are using can do Basic, NTLM and Kerberos authentications. The used protocol depends on what the web server accept (yours accepts Basic, NTLM and probably Kerberos), and depends on what the client is able to provide (IE can do all of these), and depends also on what is available in your landscape (Do you have Active Directory only or AD + Kerberos?).
Anyway I don't see in the parameters of your module something like 'Negotiate' (which gives the module the possibility to use either NTLM or Kerberos), then probably your module is forcing NTLM and may provide Basic if not present from browser.

If you want me to help you in a deeper way, I need your configurations (Server, web server, landscape, ...).

thank you
regards,
Tomolimo

@Kubik-a
Copy link
Author

Kubik-a commented Feb 12, 2016

Hello,
Thank you for your help, on the web server there is Apache 2.4.9 installed ( with wamp ), it's a Windows server 2008 R2 Standard, we use only AD in our infrastructure. I configure the .htaccess file in /glpi/.htaccess as follow :

<Files ~ "^$|index.php|login.php"> AuthName "Accès restreint" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic Off require valid-user </Files>

I add directive to allow .htaccess in httpd.conf:

<Directory "d:/wamp/www/glpi"> AllowOverride All </Directory>

and the registry key : DisableNTLMPreAuth on the client

( If i delete the registry key , sometimes when i upload a document, i have this message " Unauthorized type of file " )

I have test to upload some document and it's working ( with the registry key ) , i will do more test today and give you a feedback :)

@tomolimo
Copy link
Contributor

Hello,
To be sure about all these, you may use Fiddler to spy network traffic between your browser and the web server. Fiddler is free and acts as a local proxy between browser and web server.
With it you'll see real network traffic, not like Wireshark where you can see everything, with Fiddler you'll see HTTP traffic.
regards,
Tomolimo

@Kubik-a
Copy link
Author

Kubik-a commented Feb 12, 2016

I ask to the sysadmin to add the registry key and it's not possible for us :/
The problem occured only with NTLM ? Is it possible to use an other Authentification protocol to solve this problem ?

Regards,

@tomolimo
Copy link
Contributor

It occurs only with IE !!!
In fact we are facing a problem with two sides:

  1. NTLM is not correctly managed by Ajax calls within IE.
  2. by default IE will try from times to times to send NTLM authentication tokens to the web server when at least one page has requested NTLM... Even if the current page is not requesting NTLM.

The way to prevent first side of the problem is:

  1. to use iFrames to upload files to web server: this means complete redesign of the upload framework, and this times not using Ajax. Not really practical. and security issues are also involved.

The ways to prevent second side of the problem are:

  1. to use the DisableNTLMPreAuth registry key (see this KB on Microsoft web site (https://support.microsoft.com/en-us/kb/251404)
  2. to use the new MS Edge browser which behaves correctly
  3. to use Chrome or FireFox
  4. to force your sysadmin to create a GPO to deploy this registry key (very easy)
  5. to use another authentication schema like CAS or mail server, see GLPI 'Setup' 'Authentication' 'Others' (but for this I can't help, sorry), and I'm not sure that you'll be able to use SSO in these cases.
    ...

Regards,
Tomolimo

@Kubik-a
Copy link
Author

Kubik-a commented Feb 12, 2016

The registry key is the best option ( force sysadmin :p ). I see in the KB resolution that Microsoft ask to disable Integrated Windows Authentication , is it necessary ?

Thank you for your help.

Regards,

@tomolimo
Copy link
Contributor

Of course the registry key is the best solution as it permits to use NTLM only for the files that really need it (index.php and login.php), such having a big gain of speed for the rest. (NTLM needs an exchange of three challenge/response each time).

Regarding KB, don't apply anything else than things I've asked for, as this KB doesn't completely apply to our current case.

@Giudy
Copy link

Giudy commented Feb 25, 2016

For us the registry options didn't work and neither edge.
The solution was to change the authentication method from NTLM to Kerberos
so we just did add
SSPIPackage Negotiate

glpi 0.90.1 on Windows 2008, apache 2.4.4, PHP 5.4.16, NTLM, mod_authnz_sspi

davide

@tomolimo
Copy link
Contributor

Hello Giudy,
Could you tell me what was the parameter before setting Negotiate?

@Giudy
Copy link

Giudy commented Feb 25, 2016

Hi, simply the parameter was no present

davide

@tomolimo
Copy link
Contributor

then you should re-read the comment: #196 (comment)
In which I explained that Negotiate is mandatory and that it doesn't lead to Kerberos but can also be NTLM.
as a matter of fact the registry key is not alone the solution for these, but also are the settings of your server :)

@Giudy
Copy link

Giudy commented Feb 25, 2016

ach, yep, yes I did miss that comment !

thanx

davide

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants