#225 HTTP re-authentication with NTLM fails

[Andre Goree]

Arch Linux
sw vers:
agoree@agoree-arch ~ % yaourt -Qs pidgin
extra/libpurple 2.10.7-4
IM library extracted from Pidgin
extra/pidgin 2.10.7-4
Multi-protocol instant messaging client
local/pidgin-sipe 1.17.2-1
An Open Implementation of SIP/Simple protocol for Live Communications Server 2003/2005/2007 - Pidgin plugin

I'm having an issue where my Lync buddy list shows all users offline, regardless of whether or not they're online. I can still message the "offline" users if I know they're online, and they do report seeing me online in their list.

I read the FAQ's, specifically this one which seems to apply, but I am indeed running the latest version of pidgin-sipe unless I'm mistaken.

I've attached 2 debug logs, which I got after removing ~/.purple before running so that I'd have a clean slate. Thanks in advance for any assistance you can provide. Let me know if you need more info and I'll provide it quickly.

[Stefan Becker]

Thanks for the logs. In your installation NTLM requests re-authentication for every HTTP transaction. The built-in NTLM implementation never supported that, but with the old HTTP stack implementation it didn't matter. I'll have to fix this.

[Andre Goree]

Thank you Stefan for the hasty reply and efforts on fixing this. :)

[Stefan Becker]

This should be fixed by git commit 3f3dcfc. Please verify and update this ticket. Thank you.

[Stefan Becker]

Ping. Can you please verify that this works now for you?

[Andre Goree]

Sorry for the delay, I'll confirm this tomorrow when I get to the PC in question.

[Alex Kurilo]

I'm experiencing the same issue (401 as a response to request with NTLM Negotiate) while requesting https://LYNCSERVER/CertProv/CertProvisioningService.svc
Is this fix supposed to help me as well? :)

Log is attached.

I cloned repo, built the specified commit, but it didn't help.

[Stefan Becker]

Where is the log? I don't see it...

[Alex Kurilo]

Sorry about that.

[Stefan Becker]

No, in your case the authentication data provided for NTLM is simply incorrect.

The log shows that your have configured "\Alexander_Kurilo" plus a password, i.e.

DOMAIN   = <empty>
ACCOUNT  = Alexander_Kurilo
PASSWORD = ...your super secret password...

Judging from experience this would be incorrect in most Windows AD environments. You need to supply your Windows AD credentials, e.g. EXAMPLE.ORG\Alexander_Kurilo as login name, or whatever is the account name you use to login into Windows machine.

Please do read this page for initial account setup.

[Alex Kurilo]

Well, I have read this.
This was just an option -- I tried either with domain and without. Occasionally, I attached one of the attepmts without domain specified.

Pidgin says ‘Web ticket request to https://lync.example.org:443/CertProv/CertProvisioningService.svc failed’ and I see 401 as a result of auth attempt. However, I can see the page there using the credentials provided in browser with Basic HTTP Auth.

Is there anything else I can provide or get a hint from about what's really going on?

[Stefan Becker]

Basic HTTP auth is different from NTLM authentication.

Plus that is not the HTTP request that fails, it's https://lync.example.org/WebTicket/WebTicketService.svc. That HTTP server does not offer Basic HTTP authentication.

If you don't use Windows machines then maybe you should contact your IT to request the correct Windows AD account information.

[Alex Kurilo]

My apologies for the very false alarm.
I've just checked what browser sends when I see the page. It uses NTLM auth, so this far from what I thought and, thus, there is an issue with the credentials.

Sorry for bugging you and thanks for help.

[Stefan Becker]

Ping. Feedback please.

[Andre Goree]

My apologies, very busy times I'm in. I'm [attempting to] clone the repo right now, but it appears to be down(?). Is this still the correct URL? http://repo.or.cz/w/siplcs.git

[Andre Goree]

I seem to have the same issue, tried renaming old ~/.purple after install from git. I've attached the debug log. Thanks for looking into this.

[Stefan Becker]

Are you sure you compiled from git or replaced the binary with the newly compiled one? Your log shows that you are using version 1.17.2 release:

(11:15:03) sipe: sipe_core_allocate: SIPE version 1.17.2 signin_name 'agoree@staff.atlantic.net'

If you compiled from git HEAD it should show (git commit 0c1b389) there.

[Stefan Becker]

Here is what I ses when I clone git HEAD:

$ git clone -b mob git+ssh://mob@repo.or.cz/srv/git/siplcs.git
Cloning into 'siplcs'...
remote: Counting objects: 21192, done.
remote: Compressing objects: 100% (4067/4067), done.
remote: Total 21192 (delta 16914), reused 21184 (delta 16909)
Receiving objects: 100% (21192/21192), 6.70 MiB | 454.00 KiB/s, done.
Resolving deltas: 100% (16914/16914), done.
Checking connectivity... done

$ cd siplcs

$ git status
# On branch mob
nothing to commit, working directory clean

$ git describe
1.17.2-124-g0c1b389

[Stefan Becker]

One other sanity check:

$ strings src/purple/.libs/libsipe.so | fgrep _ntlm:
...
sip_sec_init_sec_context__ntlm: dropping old context

If you don't see this string then your compiled version does not contain the fix.

[Andre Goree]

agoree@agoree-arch ~/tmp/siplcs (git)-[fixer] % strings src/purple/.libs/libsipe.so |fgrep _ntml
1 agoree@agoree-arch ~/tmp/siplcs (git)-[fixer] %
1 agoree@agoree-arch ~/tmp/siplcs (git)-[fixer] % git describe :(
1.17.2

It would appear that I don't have the correctly compiled version installed. Sorry about that, please standby.

[Stefan Becker]

It's _ntlm, not _ntml :-)

You have checkout branch "fixer" which is the release branch. Try

$ git checkout mob

[Andre Goree]

After rebuild with correct version, it works! Thanks Stefan.

1 agoree@agoree-arch ~/tmp/siplcs (git)-[mob] % git describe :(
1.17.2-124-g0c1b389

[Stefan Becker]

Sorry for being so pushy about this, but your YES/NO will decide if there is going to be a release 1.17.3 or not,. Sue to time constraints until the end of the year I can only release it within the next 24 hours or I have to cancel it altogether.

[Stefan Becker]

Thanks for verifying it. Now I can release 1.17.3 which will have this fix.

CLOSING.