#181 NTLM: Unexpected RuntimeExeption

open
nobody
None
5
2011-07-14
2011-03-10
Steiner
No

Redmine 1.1.0, Rails 2.3.5, Redmine-Mylyn-Plugin 2.7.1 stable, Eclipse-Plugin 0.2.0, Eclipse 3.6.0

When I try to create a connection from the plugin and click on validate I get the error " Execution of method failed - unexpected RuntimeException". It pops up almost instantly, so I'm not sure whether it got to Redmine at all.

The error is the same no matter what credentials I provide (username or API-Key, with or without Http-Authent).

Additional: I could not find a log entry for this error in the eclipse log. Where should I look for to get some more details?

My Redmine-Install runs inside an Apache with mod_auth_sspi, but Basic Auth is enabled, too.

Discussion

  • Steiner
    Steiner
    2011-03-10

    I found the logfile, here's the error message:

    2011-03-10 11:01:38,659 DEBUG n.s.r.i.a.c.AbstractClient Execute HTTP GET-Method /redmine/mylyn/version key=390[...]
    2011-03-10 11:01:38,737 DEBUG n.s.r.i.a.c.AbstractClient Execute HTTP GET-Method /redmine/mylyn/version key=390[...]&key=390[...]
    2011-03-10 11:01:38,768 ERROR n.s.r.i.a.c.AbstractClient Execution of method failed - unexpected RuntimeException Authentication state already initialized
    java.lang.IllegalStateException: Authentication state already initialized
    at org.apache.commons.httpclient.auth.AuthState.setPreemptive(AuthState.java:120) ~[na:na]
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:162) ~[na:na]
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[na:na]
    at org.eclipse.mylyn.commons.net.WebUtil$2.execute(WebUtil.java:333) ~[na:na]
    at org.eclipse.mylyn.commons.net.WebUtil$2.execute(WebUtil.java:1) ~[na:na]
    at org.eclipse.mylyn.internal.commons.net.MonitoredRequest.call(MonitoredRequest.java:51) ~[na:na]
    at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) ~[na:1.6.0_23]
    at java.util.concurrent.FutureTask.run(Unknown Source) ~[na:1.6.0_23]
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) ~[na:1.6.0_23]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) ~[na:1.6.0_23]
    at java.lang.Thread.run(Unknown Source) ~[na:1.6.0_23]

     
  • Sven Krzyzak
    Sven Krzyzak
    2011-03-15

    > My Redmine-Install runs inside an Apache with mod_auth_sspi, but Basic Auth is enabled, too.
    Where is Basic Auth enabled ?

     
  • Steiner
    Steiner
    2011-03-16

    Some background info on this setting may be useful: I tried to get Single-Sign-On for my Redmine-Server with NTLM using the guide found here: http://www.redmine.org/boards/2/topics/127#message-931

    After some trying this works with the browser just as expected, removing the need to enter username/password in Redmine by using the already existing windows logon.
    Then I tried the option "SSPIOfferBasic on" in httpd.conf. This setting offers Basic Auth too, but ONLY if NTLM fails.

    But: HttpClient seems NOT to fail with NTLM and is therefore already authenticated (so no Basic Auth), but still tries to use preemptive auth - which then causes the exception. I guess a connection without preemptive auth might work.

    In the meantime I found a workaround: using Virtual Hosts I managed to provide 2 links to Redmine: Host 1 authenticates using NTLM and Apache, Host 2 uses the normal Redmine-Login. Using Host 2 I can connect just fine, but need to enter my user credentials - not exactly the result I tried to achieve by using NTLM.

     
  • Sven Krzyzak
    Sven Krzyzak
    2011-03-16

    The most important: I have absolutely no experience with NTLM.

    > I guess a connection without preemptive auth might work.
    This may be working for you, however for all others I need the preemptive auth.
    Redmine doesn't send a 401, Redmine shows lesser informations, if we are not authenticated.

    > ... Virtual Hosts I managed to
    > provide 2 links to Redmine: Host 1 authenticates using NTLM and Apache,
    > Host 2 uses the normal Redmine-Login. Using Host 2 I can connect just fine,
    > but need to enter my user credentials - not exactly the result I tried to
    >achieve by using NTLM.
    I'm not sure, that I understand you right, but where is the difference
    using host 2 - HttpClient must send Basic Auth Header
    using host 1 - HttpClient must send NTML Credentials
    I both cases you must enter this informations.

    What happens, when you remove the line
    require valid-user
    from your apache config?

     
  • Steiner
    Steiner
    2011-03-17

    My NTLM "experience" is limited to what I learned during the ongoing installation, which obviously is not much.

    Maybe you could add a catch block which catches the aforementioned exception and then tries again without preemptive auth.

    The difference between Hosts 1 and 2 is: NTLM-Credentials for Host 1 are sent automatically and are not meant to be entered by the user. For example using Subversive I can commit to SVN without having to enter any credentials as they are already set automatically (although the plugin keeps asking for them :-( ).

    If the Redmine-Connector sends additonal credentials via preemptive auth, the server seems to respond that these are not necessary as the client is already authenticated - causing HttpClient to throw an exception which in turn prevents the Redmine-Connector from going further.

    Host 2 does not use NTLM but needs user provided credentials for the normal Redmine-Login. Therefore the Redmine-Connector works, as this is the standard way of authenticating a Redmine user, but the user has to make sure, he changes the credentials everytime he changes his Windows-Password (as both Logins are based on the same DomainController), risking Windows-Lockout if he forgets to do this and the connector tries multiple times with the old password.

    About your last suggestion: If I remove require valid-user, NTLM does not work any more. I guess it's because the browser is not challenged with NTLM-Login and therefore does not send the required credentials.

     
  • Sven Krzyzak
    Sven Krzyzak
    2011-03-17

    > If the Redmine-Connector sends additonal credentials via
    > preemptive auth, the server seems to respond that these
    > are not necessary as the client is already authenticated
    > - causing HttpClient to throw an exception which in
    > turn prevents the Redmine-Connector from going further.

    Can you capture this response (i.e. with a network sniffer) and send me via email? I will see what I can do.

     
  • Steiner
    Steiner
    2011-03-18

    Ok, I enlisted the help of a colleague to capture the response as you suggested. Other than I expected the actual response was "HTTP/1.1 401 Authorization Required". It looks like I was mislead by the exception text into believing NTLM actually worked.

    With the new assumption that this was not the case some more tries with different credtials showed that enabling "Http Autentication" + API-Key actually works if provided with domain\username instead of just username.

    So the current state is: even without the VirtualHost workaround I can now get the connector to work by manually providing the correct credentials with domainname\username + password. So no NTLM for Redmine Conenctor for now <sniff>...

    I guess I should stop wasting your time and start to accept this fact.

    If you have any ideas at hand, I'd be most happy to try them. Otherwise I think we can close this bug.

     
  • Sven Krzyzak
    Sven Krzyzak
    2011-03-21

    > ... actual response was "HTTP/1.1 401 Authorization Required".
    and the connector assumes, that the provided credentials are invalid

    When you disable SSPIOfferBasic and I send you a version without any authentication mechanism, could this work?

     
  • Steiner
    Steiner
    2011-03-22

    I certainly would like to give it a try.

     
  • Sven Krzyzak
    Sven Krzyzak
    2011-03-22

    I attached a modified version.

     
  • Steiner
    Steiner
    2011-03-23

    Unfortunately it did not work. Instead of "Authentication state already initialized" I now get error 401.

    Some further reasearch suggests that NTLM is supported in HttpClient starting with version 4.1 (http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html) but looking at the jars I can only find version 3.1. Mylyn seems to be currently preparing an upgrade to 4.1, so maybe I'll just have to wait until then as your plugin seems to use the HttpClient through Mylyn.

     
  • Steiner
    Steiner
    2011-03-23

    I played around with the network sniffer some more and maybe I got the whole thing wrong. If I provide the right credentials in the section Http Authentication in the plugin configuration, the plugin uses these to provide NTLM(!) Authentication instead of basic : User-Agent: Jakarta Commons-"HttpClient/3.1 Authorization: NTLM"

    I guess my mistake was, that I supposed NTLM would work the same way as it does in the browser by using the already logged-in user without asking for a password.

    Instead I have to provide the data manually, but the plugin uses these credentials to build an NTLM-authentication.

    Not exactly what I wanted - because the user has to remember changing the connector settings whenever he changes his password otherwise he might get locked out because of too many wrong logins.

    But as far as I can see now, I can't get any more convenience in the near future, because even the HttpClient 4.1 documentation seems to depend on user provided credentials for NTLM.

     
  • Sven Krzyzak
    Sven Krzyzak
    2011-07-14

    • summary: Unexpected RuntimeExeption --> NTLM: Unexpected RuntimeExeption