kerberos-sspi authentication on windows with extended protection does not work. (Enable Extended Protection (channel and service binding) for Kerberos SSPI authentication)

UNCONFIRMED
Unassigned

Status

()

Core
Networking
P3
normal
UNCONFIRMED
2 years ago
2 months ago

People

(Reporter: William, Unassigned)

Tracking

38 Branch
x86
Unspecified
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-backlog][ntlm])

Attachments

(1 attachment)

899 bytes, application/zip
Details
(Reporter)

Description

2 years ago
Created attachment 8628751 [details]
firefox_log.zip

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36

Steps to reproduce:

On our site we use kerberos authentication to our intranet websites. This works ok when I enable NTLM or use the gssapi32.dll from MIT kerberos but not with sspi on windows.

the output from negotiateauth is attached for a session with extended protection on and off.

Also when i disable the extended protection it works see: https://support.microsoft.com/en-us/kb/976918/en-us




Actual results:

I get a popup where i have to logon to the website.


Expected results:

It should have logged me in sso.
(Reporter)

Comment 1

2 years ago
This is fixed for ntlm but seems not to work for sspi kerberos.

https://bugzilla.mozilla.org/show_bug.cgi?id=573043
(Reporter)

Updated

2 years ago
Component: Untriaged → Security
Hardware: Unspecified → x86
Component: Security → Networking
Product: Firefox → Core
Whiteboard: [necko-backlog][ntlm]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
You need to log in before you can comment on or make changes to this bug.