Attached file with ie 11

[Kubik-a]

Hello,
There is a bug with ie11, it's impossible to add a file in a ticket.

[orthagh]

Please, indicate your version of glpi and logs (dev tools of your browser - F12, glpi/files/_logs/*.log).
Screenshots could help.

I close for the moment, re-open with precisions

[Kubik-a]

Hello,
The version of GLPI is 0.90 but with the 0.85.4 it doesn't work too.
The problem is only with internet explorer 11 , when i use enterprise mode of IE11 it works and with other bowser like chrome there is no problem.

[orthagh]

Do you have some logs in glpi/files/_logs ?

or in apache log ?

[Kubik-a]

There is no log for this problem in the GLPI directory
In Apache log : "POST /glpi/front/fileupload.php?name=filename&showfilesize=1 HTTP/1.1" 401 487

[orthagh]

What behavior do you use to "upload" your image ?

[orthagh]

In my case (on the last IE11)
upload returns 200.
I think error is server side, apache error log should contains hints

[Kubik-a]

Yes when i try with GLPI in localhost it works. And there is nothing in Apache error log.
I use Drag and Drog and choose file, both doesn"t work.
And with other browser there is no problem...

[Kubik-a]

Voici un sujet qui parle du même problème.

http://forum.glpi-project.org/viewtopic.php?id=51564

[orthagh]

Found several links on google who reproduces the issue on another softwares (and with the same plugin for upload) :

• https://connect.microsoft.com/IE/feedback/details/819941/file-upload-stop-working-on-ie-with-windows-authentication
• http://stackoverflow.com/questions/24735849/ie11-hangs-during-file-upload-with-ajaxfileupload

This seems to be a problem in Internet Explorer and KB2962872

To be sure, do you ntml authentication on your instance ?

[Kubik-a]

We use LDAP connection.

[orthagh]

and NTLM auto-logon ?

[Kubik-a]

Yes we have NTLM auto-logon. I configure GLPI for SSO

[orthagh]

a kb description who seems fix this issue :
https://support.microsoft.com/en-us/kb/2980019

Can you confirm you have :

• KB2962872 installed
• KB2980019 not installed

[orthagh]

erf, that kb seems to apply only for IE10...

[Kubik-a]

So we have to wait for a Microsoft corrective ?

[orthagh]

I just tested with an ntlm environment (apache+winbind) with IE11
I reproduced the issue with my ie11 and found a small fix to avoid it:
in your apache vhost, add these lines :

<location /front/fileupload.php>
   Satisfy Any
</location>

Not sure about the security of this, but it seems working

[Kubik-a]

Hello,
The solution doesn't work :( Do you have some news about this problem ?
I don"t know if i put this directive in the good location, i'm not an expert of Apache.

[tomolimo]

Look at this post and read from the following comment, you should be able to find a solution:
#329 (comment)

[Kubik-a]

Ok thank you , Does the registry key can cause connection problems with software like SharePoint ?

[tomolimo]

We have Sharepoint 2007 (in fact MOSS 2007) and I do not notice any problem with it as NTLM is still working. The registry key only disables pre-fetch-authentication which is a mechanism used by IE (and only IE) to from time to time sends NTLM authentication to server (as soon as one page as been using NTLM).
If the whole site is using NTLM, it will be used without any troubles.
But the main advantage is that IE will not send NTLM requests to GLPI server during ajax file uploads.
regards,
Tomolimo

[Kubik-a]

I check in httpd.conf and i have those directive, it's not NTLM like in the other post but SSPI ( it's a windows server )

<Directory "d:/wamp/www/glpi">
AuthName "Accès restreint"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
require valid-user

[tomolimo]

SSPI is using NTLM

[tomolimo]

We are using Windows servers too.
But IIS and not Apache.

[tomolimo]

Hello,

You may have a look into these docs:
"SSPI definition": https://msdn.microsoft.com/en-us/library/windows/desktop/aa380493%28v=vs.85%29.aspx
"SSPI packages provided by Microsoft": https://msdn.microsoft.com/en-us/library/windows/desktop/aa380502%28v=vs.85%29.aspx
NTLM is in the list: means SSPI is an API (application programming interface) and NTLM is one of the protocols used for authentication (Kerberos is another,...).
The Apache module you are using can do Basic, NTLM and Kerberos authentications. The used protocol depends on what the web server accept (yours accepts Basic, NTLM and probably Kerberos), and depends on what the client is able to provide (IE can do all of these), and depends also on what is available in your landscape (Do you have Active Directory only or AD + Kerberos?).
Anyway I don't see in the parameters of your module something like 'Negotiate' (which gives the module the possibility to use either NTLM or Kerberos), then probably your module is forcing NTLM and may provide Basic if not present from browser.

If you want me to help you in a deeper way, I need your configurations (Server, web server, landscape, ...).

thank you
regards,
Tomolimo

[Kubik-a]

Hello,
Thank you for your help, on the web server there is Apache 2.4.9 installed ( with wamp ), it's a Windows server 2008 R2 Standard, we use only AD in our infrastructure. I configure the .htaccess file in /glpi/.htaccess as follow :

<Files ~ "^$|index.php|login.php"> AuthName "Accès restreint" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic Off require valid-user </Files>

I add directive to allow .htaccess in httpd.conf:

<Directory "d:/wamp/www/glpi"> AllowOverride All </Directory>

and the registry key : DisableNTLMPreAuth on the client

( If i delete the registry key , sometimes when i upload a document, i have this message " Unauthorized type of file " )

I have test to upload some document and it's working ( with the registry key ) , i will do more test today and give you a feedback :)

[tomolimo]

Hello,
To be sure about all these, you may use Fiddler to spy network traffic between your browser and the web server. Fiddler is free and acts as a local proxy between browser and web server.
With it you'll see real network traffic, not like Wireshark where you can see everything, with Fiddler you'll see HTTP traffic.
regards,
Tomolimo

[Kubik-a]

I ask to the sysadmin to add the registry key and it's not possible for us :/
The problem occured only with NTLM ? Is it possible to use an other Authentification protocol to solve this problem ?

Regards,

[tomolimo]

It occurs only with IE !!!
In fact we are facing a problem with two sides:

1. NTLM is not correctly managed by Ajax calls within IE.
2. by default IE will try from times to times to send NTLM authentication tokens to the web server when at least one page has requested NTLM... Even if the current page is not requesting NTLM.

The way to prevent first side of the problem is:

1. to use iFrames to upload files to web server: this means complete redesign of the upload framework, and this times not using Ajax. Not really practical. and security issues are also involved.

The ways to prevent second side of the problem are:

1. to use the DisableNTLMPreAuth registry key (see this KB on Microsoft web site (https://support.microsoft.com/en-us/kb/251404)
2. to use the new MS Edge browser which behaves correctly
3. to use Chrome or FireFox
4. to force your sysadmin to create a GPO to deploy this registry key (very easy)
5. to use another authentication schema like CAS or mail server, see GLPI 'Setup' 'Authentication' 'Others' (but for this I can't help, sorry), and I'm not sure that you'll be able to use SSO in these cases.
   ...

Regards,
Tomolimo

[Kubik-a]

The registry key is the best option ( force sysadmin :p ). I see in the KB resolution that Microsoft ask to disable Integrated Windows Authentication , is it necessary ?

Thank you for your help.

Regards,

[tomolimo]

Of course the registry key is the best solution as it permits to use NTLM only for the files that really need it (index.php and login.php), such having a big gain of speed for the rest. (NTLM needs an exchange of three challenge/response each time).

Regarding KB, don't apply anything else than things I've asked for, as this KB doesn't completely apply to our current case.

[Giudy]

For us the registry options didn't work and neither edge.
The solution was to change the authentication method from NTLM to Kerberos
so we just did add
SSPIPackage Negotiate

glpi 0.90.1 on Windows 2008, apache 2.4.4, PHP 5.4.16, NTLM, mod_authnz_sspi

davide

[tomolimo]

Hello Giudy,
Could you tell me what was the parameter before setting Negotiate?

[Giudy]

Hi, simply the parameter was no present

davide

[tomolimo]

then you should re-read the comment: #196 (comment)
In which I explained that Negotiate is mandatory and that it doesn't lead to Kerberos but can also be NTLM.
as a matter of fact the registry key is not alone the solution for these, but also are the settings of your server :)

[Giudy]

ach, yep, yes I did miss that comment !

thanx

davide