As a Roblox developer, it is currently impossible to launch studio whilst a network is utilising NTLM or Kerberos Protocols. This is because ROBLOX has no built in functionality for windows authentication prompts. The result is that Studio cannot connect to any ROBLOX server and the request never times out - the error message ‘authentication failed’ is displayed.
Here is an example of what studio looks like with this issue:
Can this be added? It is crippling to developers who work part time / completely on NTLM authenticated networks.
Can you provide more context on what exactly the problem is? NTLM and Kerberos are authentication protocols, and are presumably handled at the OS level, is there also an HTTP proxy or something similar involved in connecting to your network?
Oddly, not in this case. If an application doesn’t bear the appropriate NTLM authentication token, it will just fail every request. I believe it’s up to the application to use the correct method.
I believe that it might be a Microsoft issue. NTLM is rarely used nowadays so it’s understandable that Microsoft may favour APIs that don’t support it by default (speculation)
My college network has no other proxies past the Kerberos auth. All I know is Roblox doesn’t support it. I have verified this with Fiddler.
This doesn’t make any sense. Kerberos is like SSL, it authenticates and encrypts traffic between two endpoints over a presumably insecure network, but it’s not used for web access. IIRC, NTLM was along the same venue, just older.
added:
Roblox Studio is not supposed to connect to your corporate/university intranet. If you have a restrictive firewall that necessitates the use of a proxy server, you can use the
http_proxy=username:password@host environment variable. That won’t fix the teamcreate issue, however, because most likely the very same firewall will be blocking UDP traffic to our game servers.
You login via a WPA2-Enterprise Network via a Certificate
You are provided with an NTLM auth prompt in major browsers (i.e. Chrome)
You enter in the credentials and it returns an NTLM session key for future use.
This is normally required on case-by-case basis for each application. Some applications (i.e. Steam, Discord) and apparently ROBLOX have no support for this, so it’s impossible to use. On the other hand, some applications can automatically work regardless. I’m not an expert in NTLM, so I don’t know what the hell is going on, but it seems that it is possible to fix this behaviour.
My best guess is that either the NTLM server is misconfigured, or it’s just because that the userbase for users in an NTLM-based network is small enough for this not to have been noticed.
I have also talked to the IT technicians who run the network. It isn’t an issue about blocking ROBLOX. Only UDP ports are blocked.
So… what we’re seeing here is some garbage that the firewall sent to the Studio launcher masquerading as a legit response from our web endpoint. Interesting.
How does the server that sits it the middle of the network usually figure out if a particular http request is coming from the same process?
I believe it’s the process caching the NTLM authentication key and just using that. I’ve been trying to investigate this behaviour via Wireshark. Here is what I see happens:
Case 1: Chrome (Compatible)
Sends request to server
Middleman (NTLM server) intercepts, returns a 407 error code (even though its not a proxy??)
Chrome sends NTLM auth information (hashed password data) after showing prompt
Middleman sends a key
Chrome returns key and this establishes the key that is used from then on
Case 2: ROBLOX Studio (Incompatible)
Sends request to server
Middleman (NTLM server) intercepts, returns a 407 error code
ROBLOX assumes failure, attempts to contact server again
Rinse and repeat. ROBLOX Cannot contact server with version data matching format, so displays the raw NTLM response.
(That’s just what I observed with Wireshark - I’ll DM you the exact logs if you wish)
What kind of key is that? A session key? Does that mean… that we actually need to wrap all of our http traffic into Kerberos protocol so that the proxy would consider letting us through?
I’m guessing it is a session key - I’m going to do a lot more research on this to see what is happening, and I’ll send those CURL request logs over via your messages in a gist.
So far, I can’t find too much useful information on a solution - it just seems that some older or huge programs have built-in support whilst ROBLOX does not. I’ll keep you posted
Thank you! So this is the http proxy talking http (i.e. not socks). The proxy seems to want all http or https traffic wrapped as payload, and requires Kerberos/NTLM auth tokens as headers.
Yeah! This was my original hypothesis until it started throwing purely Kerberos based errors. This is based off of a closed source firewall but I hope it’ll be possible to work with this
