TFS2008 & NTLM Authentication Problems

Hi

I've been using IntelliJ IDEA 8.x with TFS 2005.  We recently upgraded to TFS 2008, on a new Windows server machine, but IntelliJ is unable to successfully connect to/add the new TFS server. It continually gets "Unauthorized".  Are there any particular settings required on the TFS machine, including IIS settings, and Windows setttings, to allow the Authentication to work correctly from IntelliJ?
I've examined the network packets http conversation between IntelliJ and TFS, and the NTLM negotiation is all there but the final result from the server is still 401 unauthorised.  Note that I am able to connect successfully using Visual Studio.
So far we have tried changing the windows registry settings to allow NTLMv1 requests, but it makes no difference.
Incidentally I also noticed when examining the packets that the WORKSTATION_NAME attribute is incorrect; it's supposed to be the name of the client workstation, not the server; but I doubt this is the cause of the problem, seeing as everything worked fine with the old TFS server...

Thanks!

23 comments
Comment actions Permalink

If you go to Settings | Version Control | VCS | TFS there is a buttons to "Reset Saved Passwords". I had a similar issue a while back and that worked for me.

0
Comment actions Permalink

thanks, but unfortunately that makes no difference.
The NTLM negotiation takes place exactly the same regardless of this, and it fails in the same manner.
I think there's something I need to set on the Server side, either in Windows or IIS, but unfortunately I can find no documentation anywhere about how to ensure IntelliJ will work with TFS, or what the requirements are .

It's a shame that IntelliJ is using the Axis/HttpClient library for NTLM; Since most TFS users are likely to be on Windows anyway a native windows solution would probably be more effective (as is done by the Teamprise TFS plugin for eclipse).  Unfortunately this could be the nail in the coffin for my use of intellij...

0
Comment actions Permalink

Hello Dominic,

What IDEA version are you using?

The NTLM negotiation takes place exactly the same regardless of this, and it fails in the same manner


Can you please provide NTLM handshake logs? If you feel the forum is not so secure place you can upload them to the ftp://ftp.intellij.net/.uploads/ (anonymous access) or send directly to ksafonov (at) swiftteams.com.

I think there's something I need to set on the Server side, either in Windows or IIS, but unfortunately I can find no documentation anywhere about how to ensure IntelliJ will work with TFS, or what the requirements are

To my regret currently there's no walkthrough or checklist to guarantee the successful connection . But we'll try our best to help you

It's a shame that IntelliJ is using the Axis/HttpClient library for NTLM; Since most TFS users are likely to be on Windows anyway a native windows solution would probably be more effective (as is done by the Teamprise TFS plugin for eclipse).  Unfortunately this could be the nail in the coffin for my use of intellij...


We still don't want to limit our users with certain platform/OS. Notably, we've got some feedback on TFS integration from Mac users.

By the way, AFAIK Teamprise uses Web services to connect to the server.

Regards,
  Kirill

0
Comment actions Permalink

Hi Kirill,
thanks for the response.  I've tried both IntelliJ 8.1.3/#9886, and the EAP version Maia #10361. I'm going to try the newest builds of both now .

Are there specific logs from intelliJ that I should generate & send, or is the http trace okay (it's a Microsoft Network Monitor capture file)?

Also, our Eclipse users (unfortunately everyone except me) are able to connect okay using the Teamprise plugin. I'm not sure how it's done, and I don't have a trace, but I suspect that it's doing NTLMv2 (as Visual Studio is) rather than NTLMv1....

Thanks,
Dominic.

0
Comment actions Permalink

Diana 8.1.3 and Maia EAP should support NTLMv2 the same way, so you can take the logs using any of these.

Please take Microsoft Network Monitor logs of unsuccessful connection attempt with IDEA, and of successful attempt with Visual Studio.

Also it will be valuable if you enable TFS logging (follow the steps in http://www.jetbrains.net/jira/browse/IDEA-22209, but now please specify httpclient.wire instead of httpclient.wire.content) and do one more connection attempt in IDEA.

Thanks,
Kirill

0
Comment actions Permalink

Hi Kirill


Sorry I haven't yet sent you the log/trace files. I've managed since last week to knock up a java client that calls the TFS CheckAuthentication service. It uses Axis2(v1.5) & HttpClient 3.1 libraries, and will successfully authenticate against my TFS server, using NTLMv1.

I've compared the traces from the two clients, and found where they begin to differ; The first difference is in the NTLM Negotiate message, in the ntlm-flags.If I modify httpclient so that it sets the flags to be the same as intelliJ uses, then authentication fails (although this could just be because I'm doing something invalid by setting the flags directly!).
The main flag that seems to make a difference is the NegotiateUnicode flag; when it's set to 1 authentication will fail. There are other flags that differ too, but it's only the Unicode one that seems to induce failure.

I hope this information is useful, and I will send you the logs/traces if it's still necessary.

I'm also quite desperate to get this working (bosses are threatening me with Eclipse!) so if I can do anything to help test any fix or working-code I'd be willing to do so, as I think it might be hard for you to replicate this.


Many Thanks,

Dominic Sparks.


Message was edited by: Dominic Sparks at 23:21 GMT 08-09-09

0
Comment actions Permalink

Hello Dominic,

At first let me thank you for your investigations and your time!

To connect to TFS we use Axis2 1.4.1 & HttpClient 3.1, and I believe we didn't change the parts that are responsible for NTLM authentication (including org.apache.commons.httpclient.auth.Ntlm class with all the flags). It may be helpful if you provide NTLM traces of successful (your client) and unsuccessful (IDEA) attempts to figure out the difference. There's no way to calculate your password from the logs, but if you still feel unsafe to publish the other bits, you can send logs directly to ksafonov [at] swiftteams [dot] com.

In the original version of your last post you've mentioned that your TFS server belongs to different domain than your workstation does (and where your network credentials defined) This may be related to the problem (see http://hc.apache.org/httpclient-3.x/authentication.html#NTLM). So I suggest to try authenticating with empty domain. Currently IDEA won't allow you to specify an empty one, so I will provide a patched bundle of TFS plugin for IDEA 8.1 or 9. Which one do you prefer?

Regards,
Kirill

0
Comment actions Permalink

hi, hope I do not intrude..

I do also have problem with authentication to the Team server from IntelliJ. I think my problems occured when windows updates were installed on the team-server last month. Prior to updates my team integration worked..

Updates installed 26.8 (26th of August) (on the Team Server running Windows Server 2003 R2 32-bit):
KB973815
KB973825
KB973869
KB973507
KB973354
KB971557
KB960859
KB973540
KB968389
KB971032
KB971657
KB956744
KB961371-v2
Installed later (31.8)
KB970653-v3
Installed: 9.9:
KB971961
KB961118
KB968816
KB967723
KB956844

I am pretty shure I had team-fundation connection working prior to updates installed on the 26th of August. On the 27th it did not work, with a "Transport error: 401 Error: Unauthorized". (Client Windows Vista 64bit)

idea.log (IDEA 8.1.3) (hopefully not to chopped..):
2009-09-11 11:19:01,293 [  45365]  DEBUG -         httpclient.wire.header - >> "POST /Services/v1.0/ServerStatus.asmx HTTP/1.1[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "Content-Type: text/xml; charset=UTF-8[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "SOAPAction: "http://schemas.microsoft.com/TeamFoundation/2005/06/Services/ServerStatus/03/CheckAuthentication"[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "User-Agent: Axis2[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "Accept-Encoding: gzip[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "Content-Length: 270[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "Authorization: NTLM TlRMTVNTUAABAAAAATIAAAcABwAgAAAAEwATACcAAABHQUJMRVJQVEVBTTEuR0FCTEVSUC5MT0NBTA==[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "Host: team1.gablerp.local:8080[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -         httpclient.wire.header - >> "[\r][\n]"
2009-09-11 11:19:01,294 [  45366]  DEBUG -        httpclient.wire.content - >> "<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><CheckAuthentication xmlns="http://schemas.microsoft.com/TeamFoundation/2005/06/Services/ServerStatus/03" /></soapenv:Body></soapenv:Envelope>"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "Content-Length: 1539[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "Content-Type: text/html[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "Server: Microsoft-IIS/6.0[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADgAAAABAgAC7YK940K/wDEAAAAAAAAAAAAAAAA4AAAABQLODgAAAA8=[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "X-Powered-By: ASP.NET[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "Date: Fri, 11 Sep 2009 09:19:01 GMT[\r][\n]"
2009-09-11 11:19:01,299 [  45371]  DEBUG -         httpclient.wire.header - << "[\r][\n]"
...chopped of html - error-message ...
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "POST /Services/v1.0/ServerStatus.asmx HTTP/1.1[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "Content-Type: text/xml; charset=UTF-8[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "SOAPAction: "http://schemas.microsoft.com/TeamFoundation/2005/06/Services/ServerStatus/03/CheckAuthentication"[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "User-Agent: Axis2[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "Accept-Encoding: gzip[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "Content-Length: 270[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAwADAAWAAAAA4ADgCIAAAADAAMAJYAAAAmACYAogAAAAAAAAAAAAAAAQIAAKvr5E+V0k8JXh5+jLvRA9fzDeaPRQ3pwiiWSJfwcvXMzSwQus+VRYkBAQAAAAAAAMBvV+bAMsoBjvqR8GoLx0wAAAAAAAAAAEcAQQBCAEwARQBSAFAAbQBvAGEAYgA1ADUAdABlAGEAbQAxAC4AZwBhAGIAbABlAHIAcAAuAGwAbwBjAGEAbAA=[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "Host: team1.gablerp.local:8080[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -         httpclient.wire.header - >> "[\r][\n]"
2009-09-11 11:19:01,310 [  45382]  DEBUG -        httpclient.wire.content - >> "<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><CheckAuthentication xmlns="http://schemas.microsoft.com/TeamFoundation/2005/06/Services/ServerStatus/03" /></soapenv:Body></soapenv:Envelope>"
2009-09-11 11:19:01,314 [  45386]  DEBUG -         httpclient.wire.header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "HTTP/1.1 401 Unauthorized[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "Content-Length: 1539[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "Content-Type: text/html[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "Server: Microsoft-IIS/6.0[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "WWW-Authenticate: NTLM[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "X-Powered-By: ASP.NET[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "Date: Fri, 11 Sep 2009 09:19:01 GMT[\r][\n]"
2009-09-11 11:19:01,315 [  45387]  DEBUG -         httpclient.wire.header - << "[\r][\n]"
2009-09-11 11:19:01,315 [  45387]   INFO - .httpclient.HttpMethodDirector - Failure authenticating with NTLM <any realm>@team1.gablerp.local:8080
2009-09-11 11:19:01,321 [  45393]   INFO - xis2.transport.http.HTTPSender - Unable to sendViaPost to url[http://team1.gablerp.local:8080/Services/v1.0/ServerStatus.asmx]
org.apache.axis2.AxisFault: Transport error: 401 Error: Unauthorized
at org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:296)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:190)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:371)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:209)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:448)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at org.jetbrains.tfsIntegration.stubs.ServerStatusServerStatusSoapStub.CheckAuthentication(ServerStatusServerStatusSoapStub.java:207)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper$1$1.compute(WebServiceHelper.java:124)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper$1$1.compute(WebServiceHelper.java:118)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper.runWithPluginClassLoader(WebServiceHelper.java:511)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper.access$100(WebServiceHelper.java:68)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper$1.executeRequest(WebServiceHelper.java:118)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper$1.executeRequest(WebServiceHelper.java:116)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper.executeRequest(WebServiceHelper.java:352)
at org.jetbrains.tfsIntegration.webservice.WebServiceHelper.authenticate(WebServiceHelper.java:116)
at org.jetbrains.tfsIntegration.ui.ManageWorkspacesForm.addServer(ManageWorkspacesForm.java:269)
at org.jetbrains.tfsIntegration.ui.ManageWorkspacesForm.access$400(ManageWorkspacesForm.java:52)
at org.jetbrains.tfsIntegration.ui.ManageWorkspacesForm$7.actionPerformed(ManageWorkspacesForm.java:166)
at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
.. chop-chop ..

0
Comment actions Permalink

Hello Morten,

After a brief look over the security bulletins I see some of them are security-related and may affect NTLM authentication (see http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx, http://www.microsoft.com/technet/security/advisory/973811.mspx).

To figure out if the problem is system-wide or IDEA-related, please try to connect to the server with Visual Studio or other TFS client. If you have neither installed, you may just open the following URL with Internet Explorer: http://team1.gablerp.local:8080/Services/v1.0/ServerStatus.asmx and check that the resulting page contains text like "ServerStatus" and "Team Foundation Server Status web service".

If other clients connect successfully, please let us look at the connection logs to compare them with IDEA's. You can take the logs using Fiddler, MS Network Monitor, Ethereal or any other tool you like.

Regards,
Kirill

PS To attach files to the message please use 'Attach Files' field below the text editor pane.

0
Comment actions Permalink

Hi, Kirill,

I have no problem connecting through other TFS clients (VS-client or Explorer plugin). Direct link through IE went fine (no error - showed "ServerStatus" title on page).

960859 were installed 15th of April.

I uninstalled kb968389.  That seemed to fix the problem!! I got authenticated without problems..

- Morten

0
Comment actions Permalink

Hi Morten,

Cool!

Well, I still think it's possible to make IDEA cope with this hotfix installed. But then we need to look at the logs of a successful connection. Unfortunately we can't have the dozens of possible types of Windows environments here...

Anyway, thanks for your feedback!

Regards,
Kirill

0
Comment actions Permalink

Fantastic - that worked for me too.  We removed the Windows Update from the TFS Server machine and it now works okay.

Thanks

0
Comment actions Permalink

Hello,

I've also encountered this problem ever since I started using the built-in TFS support.  Is there a way to get around this 401 Unauthorized problem without modifying the server?  I do not have rights to modify the server, especially since most other users (Teamprise, Eclipse, Visual Studio) aren't affected.  I am using Intellij 8.1 Build 9732.

thanks,
Hubert

0
Comment actions Permalink

Hello Hubert,

Unfortunately, for the moment there's no known client-side way. Please provide the connection logs (follow the steps in http://youtrack.jetbrains.net/issue/IDEA-22209#comment=27-65382, but specify "httpclient.wire" as logger name. Filddler/MS network monitor logs are also OK).

Also my suggestion is to turn off Unicode in NTLM handshake. To do it, you need to set jcifs.smb.client.useUnicode property to false:
1. Shut IDEA down
2. Open the file <idea_installation_folder>\bin\idea.exe.vmoptions (assuming you're on Windows and running idea.exe file)
3. Add the line to the end of the file: -Djcifs.smb.client.useUnicode=false

Regards,
Kirill

0
Comment actions Permalink

I shut down IDEA, modified the log settings, started up, responded to IDEA's prompts, and when it stopped prompting, I shut IDEA down, then copied the logs.  Can I email this set of logs to you?

0
Comment actions Permalink

Yes, please: ksafonov (at) swiftteams (dot) com

0
Comment actions Permalink

Another thing that may help.
If I come in really early, or stay really late, then the authentication problems are minimal.  They're still there, but not multiple times a minute (I'm not exaggerating here).  This may be related to the amount of network traffic.  Perhaps a more tolerant or configurable timeout would help with this problem.

0
Comment actions Permalink

Hello Hubert,

Thank you for your feedback,

The logs show that NTLM handshake occurs on every request to the server. This is not the normal workflow: NTLM is a connection authentication protocol, this means that handshake is done once the connection is established and is not repeated until it is closed. So here it looks like the connection is closed after a single request is processed.

This may be either due to an issue in IDEA, or the problem within server or proxy. Can you please take the log of the successful working session in Visual Studio or Teamprise with any network/HTTP monitoring tool?

By the way, what problems do you experience in IDEA UI? Is it just an error message or a login dialog popping up instantly?

Thanks,
   Kirilll

0
Comment actions Permalink

I get the login dialog popping up instantly. As you might imagine, it makes the IDE very unusable at that point. I have teammates who have given up on the IDE due to this issue.

This is what it looks like when I try to check in a file: http://www.youtube.com/watch?v=Aauup0nQGo0

Message was edited by: undetected - add link to vid.

0
Comment actions Permalink

http://youtrack.jetbrains.net/issue/IDEADEV-41222

Still Visual Studio / Teamprise connection logs may shed light onto the reason of the connection breaks.

Regards,
Kirill

0
Comment actions Permalink

If you have access to the TFS server, you may also take a look at the system Event Viewer -> Application category and search for the TFS-related messages. Unsuccessful logins are usually shown there along with the reason.

Regards,
  Kirill

0
Comment actions Permalink

I am also having this problem; we just switched over to TFS server in our other data center, so TFS just stopped working.  Is there a fix that does not required removing a security patch from the TFS server (which I don't think that server admin will want to do)

Also, I am currently the only IDEA user at my company, but they are currently planning on purchasing licenses for the rest of the team.  If this can't be fixed, it my be a deal breaker for my manager.

0
Comment actions Permalink

Eventually it's fixed in IDEA X, please check with the next EAP build.

0

Please sign in to leave a comment.