Outlook 2007 SPA authentification problem solved (NTLM plugin bug)

Thu May 8 12:22:59 EDT 2008

CHCNET Consulting wrote:
> Hi list,
> 
> I've patched the ntlm plugin, to support also Outlook 2007, which uses a 
> slightly different approach to authenticate. All Outlook versions prior 
> to 2007 using a two-stage method: first they try to authenticate with 
> the username and windows domain instead of the maildomain (which of 
> course doesn't work, unless we have in our sasdb user at NTDOMAIN). Outlook 
> 2007 changed this method to username at maildomain.com.  I.e. the NTLM auth 
> is sent with username and client domain, where client domain is finally 
> correctly our email domain!
> 
> But this needs a change in the sasl ntlm plugin, otherwise you never get 
> the client domain into your checks, but only username at mailserver:

Here's my alternate patch which first tries a fully qualified username 
(using the supplied domain), and if no password exists for this 
username, we fall back to using the unqualified username.  Please try 
this with your deployment.

--- ntlm.c.~1.32.~	2008-01-24 10:22:24.000000000 -0500
+++ ntlm.c	2008-05-08 12:17:27.000000000 -0400
@@ -1552,14 +1552,52 @@
  	result = sparams->utils->prop_request(sparams->propctx, 
password_request);
  	if (result != SASL_OK) goto cleanup;

-	/* this will trigger the getting of the aux properties */
-	result = sparams->canon_user(sparams->utils->conn, authid, authid_len,
-				     SASL_CU_AUTHID | SASL_CU_AUTHZID, oparams);
-	if (result != SASL_OK) goto cleanup;
+	if (domain) {
+	    /* see if we have a fully qualified username */
+	    char *fq_authid = sparams->utils->malloc(authid_len+domain_len+2);
+
+	    if (!fq_authid) {
+		MEMERROR(sparams->utils);
+		result = SASL_NOMEM;
+		goto cleanup;
+	    }
+
+	    sprintf(fq_authid, "%.*s@%.*s",
+		    authid_len, authid, domain_len, domain);
+	    sparams->utils->log(NULL, SASL_LOG_DEBUG,
+				"canonicalizing: %s", fq_authid);
+
+	    /* this will trigger the getting of the aux properties */
+	    result = sparams->canon_user(sparams->utils->conn,
+					 fq_authid, strlen(fq_authid),
+					 SASL_CU_AUTHID | SASL_CU_AUTHZID,
+					 oparams);
+	    sparams->utils->free(fq_authid);
+	    if (result != SASL_OK) goto cleanup;
+
+	    result = sparams->utils->prop_getnames(sparams->propctx,
+						   password_request,
+						   auxprop_values);
+	}
+	if (!domain || result < 0 ||
+	    (!auxprop_values[0].name || !auxprop_values[0].values)) {
+	    /* We didn't find the fully qualified username,
+	       try the unqualified username */
+	    sparams->utils->log(NULL, SASL_LOG_DEBUG,
+				"canonicalizing: %s", authid);
+
+	    /* this will trigger the getting of the aux properties */
+	    result = sparams->canon_user(sparams->utils->conn,
+					 authid, authid_len,
+					 SASL_CU_AUTHID | SASL_CU_AUTHZID,
+					 oparams);
+	    if (result != SASL_OK) goto cleanup;
+
+	    result = sparams->utils->prop_getnames(sparams->propctx,
+						   password_request,
+						   auxprop_values);
+	}

-	result = sparams->utils->prop_getnames(sparams->propctx,
-					       password_request,
-					       auxprop_values);
  	if (result < 0 ||
  	    (!auxprop_values[0].name || !auxprop_values[0].values)) {
  	    /* We didn't find this username */


-- 
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
