Authentication...

[pkreipke]

Hi,

I'm looking forward to using SPGo!

From the authentication code it looks like Digest authentication is the only supported authentication.

Is there an easy way to enhance SPGo (or via VSCode) to use NTLM? How about a Forms based SP 2013 authenticator?

Per

[sg-chrishasz]

Greetings @pkreipke !

I have not had a chance to test NTLM auth, but all of the libraries I am using for file upload and download profess to support NTLM as well as digest. Have you tried authenticating against an NTLM-secured SharePoint instance unsuccessfully? (You will need to provide <domain\username> rather than user@domain.yyy when prompted for credentials.)

As for Forms Auth, I did not have plans to support, but if you have a public facing instance and don't mind provisioning a test user account for me, I'm happy to look into the total effort to implement.

Appreciate the feedback.

Thanks!
Chris

[pkreipke]

Hi Chris,

Yes, I had been testing against NTLM and it wasn't working. In fact my issue was a mixed mode environment that was trying Forms first. By making one simple change to the requests, it works:

That is, if I try to access SP's /_api/... REST endpoints in mixed mode, I had to add the following header to the GET and POST calls to work, including /_api/contextinfo:

`
options = {
headers: { "X-FORMS_BASED_AUTH_ACCEPTED": "f" }
}

I double checked this by stepping through sp-request's requestDigest() functions and adding the 'headers' attribute to coreOptions just before the POST call (careful not to overwrite the method attribute). Unfortunately, requestDigest() doesn't accept an option argument and that's what you're calling in verify() so it will need a fix too.

I suspect but am not sure that IF sp-request and it's helpers are assuming NTLM (since you mentioned forms aren't implemented) that you could add to default request options.

Best,
Per

[pkreipke]

Hmm. I wanted to test vscode ResetCredentials menu so I added the headers to your verify() function on my local machine in .vscode/extensions/..., restarted vscode and it didn't work.

Is there a way to debug the extensions themselves?

When I type in "Domain\username" does your code parse that out and use the separate options on the sp-request.create() function param?

Per

[pkreipke]

Sorry - I mean I added the option inside sp-request.requestDigest() call to spr.post(). in node_modules. Perhaps that's not being picked up.

[sg-chrishasz]

the node_modules folder holds code dependencies that are resolved to strictly versioned libraries, hosted on NPM's servers, at build/deploy time which means that any changes in that folder will only work locally.

Thanks for the PR, I'll merge those changes into the 0.10.2 branch and check in today. If you don't mind, can you build from that branch locally and test the changes? If they work for you i'll make sure they are included in the 0.10.2 release.

Appreciate the support and thanks for using SPGo!

[sg-chrishasz]

@pkreipke branch 0.10.2 with beta NTLM support has been created and committed. Please let me know if this works in your environment.

[pkreipke]

@sg-chrishasz Appreciate the fix. I'm sorry, haven't had time to test yet. Will let you know as soon as I do.

[lafayetteduarte]

Hello Guys,
@sg-chrishasz tks for this.
FYI, i was trying to use spgo and ran into auth issue.
My environment is a pubic facing website that uses a custom STS for user authentication.
originally i had the default zone configured to use NTLM + STS
aside from this zone, i had the internet zone using only the STS auth.

i was unable to authenticate in either one so, i extended my website to intranet zone using only NTLM (with wwwauth enabled) and it work and it worked like a charm.
will use it for now on on my project and hopefully get rid of SPD.

that said , maybe would help other newbies if the readme from
spgo stated the restriction on multiple authentication schemes of sharepoint sites.

i will let u know if i find anything else.
once again, thank you very much for your contribution.

[sg-chrishasz]

@lafayetteduarte - Glad to hear that you were able to get SPGo working. Adding specific authentication details to the readme.md file is a good idea and I'll add it to the 0.10.2 release.

Just a quick clarification question - Were you able to get NTLM + wwwauth working on build 0.10.1, or did you use the current (unreleased) 0.10.2 branch?

[lafayetteduarte]

@sg-chrishasz yep. i was able to connect using on 0.10.1.

my env is laid out as:

1. SP 2016 on prem;
2. Web app extended to 3 zones ( default/intranet/internet)
   default zone : windows (NTLM + basic auth enabled) + STS as auth
   intranet zone: Windows (NTLM + basic auth enabled)
   internet zone: public facing extension , STS Auth only

SP GO on v 0.10.1 can connect using my AD credentials only on my intranet zone ( wich is using NTLM only on auth setings).
the credential check fails is STS is enabled;

will try to disable the basic auth and test again to see if SPGO 0.10.1 can authenticate using pure NTLM.

[sg-chrishasz]

Thanks for the detailed info! I am building better support for NTLM auth into 0.10.2, so this is timely feedback.

[pkreipke]

Updates on testing 0.10.2 with NTLM:

Your new RequestHelper code successfully splits domain from username and sets it up for the auth call.

However, it still didn't work for me without the "X-FORMS_BASED_AUTH_ACCEPTED” header mentioned above. I stepped through the code starting from RequestHelper where the request is created and manually added the header inside sp-request’s SPRequest.js as soon as I could and that made it work!

I think if sp-request's requestDigest() allowed a second arg with options it would simply work for my NTLM setup. I tested over HTTPS and HTTP and both worked.

spRequestFunc.requestDigest = function (siteUrl, customOptions) {
...
   spRequestFunc.post(url + "/_api/contextinfo", customOptions)
      .then(....)
...

Once working, what a great tool! I was able to sync a folder down and save changes to files back up! Very cool - will experiment.

[pkreipke]

Ok, that was me with a dev hat on - obviously just adding a function parameter doesn't help the end user.

I'm not sure when that header option should be added: every call or triggered only off a setting in SPGo.json file.

[pkreipke]

Key info:

• "X-FORMS_BASED_AUTH_ACCEPTED": "f" needs to be passed in on the headers of every HTTP request in my dual-auth setup to make authentication via NTLM work but also for every subsequent request!

I'm happy to help test more.

Per

[sg-chrishasz]

Hello Everyone!

Sorry for the delayed response - I am not ignoring you all on purpose! @pkreipke is correct, this issue is only faced when using mixed-mode authentication (when forms is involved).

I'm working on solving this issue via two paths:

• I've submitted issues to the core libraries I'm using for SP file upload and download to support ad-hoc HTTP headers. You can review the issues here:
  ** Support for Custom HTTP Headers / Mixed Mode Authentication s-KaiNet/spsave#32
  ** Support for Custom HTTP Headers / Mixed Mode Authentication koltyakov/sppull#20
• I am currently rewriting the authentication code entirely to more effectively support the following authentication modes:
  ** SP Online/Digest
  ** NTLM
  ** Forms
  ** ADFS

Thanks for bearing with me on this. If I'm unable to get an update for mixed mode authentication via the channels above, I'll probably end up rewriting the functionality locally, which will need an entire release on its own. I'll keep you all updated on this front.

Thanks, again, for using SPGo!
-Chris

[pkreipke]

Checking back in.... Since sppull changes were made, if I update to 0.10.2 branch will I get those updates as well and can test for you?

[sg-chrishasz]

Hello @pkreipke

I just pushed a commit to the 0.10.2 which should correctly implement NTLM support for mixed-mode environments. Please do test and let me know if you run into any issues.

[Edit] - You will need to re-run the >SPGo: Configure Workspace command as I've added a new configuration screen for selecting authentication method.

Thanks, again, for the patience.
-Chris

[sg-chrishasz]

@pkreipke @lafayetteduarte I just released 0.10.2 to the VS Marketplace. This should resolve all of the issues raised for Authentication (as well as adding support for ADFS and FBA).

Please reopen these issues if you find any bugs.

Thanks!
-Chris