kerberos-sspi authentication on windows with extended protection does not work. (Enable Extended Protection (channel and service binding) for Kerberos SSPI authentication)
Categories
(Core :: Networking, defect, P2)
Tracking
()
People
(Reporter: kc, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged][ntlm][necko-priority-next])
Attachments
(1 file)
|
899 bytes,
application/zip
|
Details |
|
||
Updated•9 years ago
|
|
||
Comment 2•8 years ago
|
||
|
|
||
Comment 3•8 years ago
|
||
|
||
Comment 4•5 years ago
|
||
Documentation is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1179722 (I think)
Here's another detailed scenario:
https://support.mozilla.org/en-US/questions/1296796
chrome added this support in 51.
|
||
Comment 5•4 years ago
|
||
Just ran into this problem while trying to enable the ExtendedProtectionTokenCheck setting on an ADFS that was used for authentication for one of our internal web services. Though our Chrome users had no problem with it, FireFox users could no longer authenticate, so we had to disable the setting again, unfortunately.
This is an important security feature for hardening the authentication interaction. Please, could someone of the developers take a closer look and try to tackle this issue?
(In reply to Johan Corveleyn from comment #5)
Just ran into this problem while trying to enable the ExtendedProtectionTokenCheck setting on an ADFS that was used for authentication for one of our internal web services. Though our Chrome users had no problem with it, FireFox users could no longer authenticate, so we had to disable the setting again, unfortunately.
This is an important security feature for hardening the authentication interaction. Please, could someone of the developers take a closer look and try to tackle this issue?
Hi Johan,
Did you set 'ExtendedProtectionTokenCheck ' from None to Allow or from Allow to Require?
This setting is here set to "Allow" and gives no authentication issues.
Did you install the following security patch?
Maybe related to the issue you described, we enabled a security patch (https://support.microsoft.com/nl-nl/topic/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab) and perform the second step (set the registerkey 'PerformTicketSignature' to 1), after some time our Firefox users cannot signin anymore into sites through ADFS.
|
|
||
Comment 7•4 years ago
|
||
Here's where the patch went in for Chrome - https://bugs.chromium.org/p/chromium/issues/detail?id=270219#c66
Here's the actual patchset:
https://codereview.chromium.org/1408433006/#ps1
Unfortunately I pasted the wrong thing in my comment and I can't find the documentation anymore.
I'm not sure about prioritization, but I'll put this on folks radar.
Can anyone seeing this tell me how pervasive this is? Like do a lot of people use this and can't use Firefox?
|
|
||
Comment 8•4 years ago
|
||
The specific SSPI change in question for Chrome is here:
https://codereview.chromium.org/1408433006/patch/100001/110039
I think this is the documentation
https://msrc-blog.microsoft.com/2009/12/08/extended-protection-for-authentication/
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/6b733b95-3fd9-4ad5-ba4f-28e548db1c24?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/windows/win32/api/sspi/ns-sspi-sec_channel_bindings?redirectedfrom=MSDN
(In reply to Mike Kaply [:mkaply] from comment #7)
Here's where the patch went in for Chrome - https://bugs.chromium.org/p/chromium/issues/detail?id=270219#c66
Here's the actual patchset:
https://codereview.chromium.org/1408433006/#ps1
Unfortunately I pasted the wrong thing in my comment and I can't find the documentation anymore.
I'm not sure about prioritization, but I'll put this on folks radar.
Can anyone seeing this tell me how pervasive this is? Like do a lot of people use this and can't use Firefox?
This is the combination in our environment:
- Firefox installed on a domain-joined pc
- ADFS server configured in the about:config setting : Network.automatic-ntlm-auth.trusted-uris
- "Mozilla/5.0" is added (default(?)) in ADFS WIASupportedUserAgents
- 2nd phase of the patch "cve-2020-17049" installed on all DC's (https://support.microsoft.com/nl-nl/topic/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab)
|
|
||
Updated•4 years ago
|
|
|
||
Comment 10•4 years ago
|
||
(In reply to Rende from comment #6, and Mike Kaply)
Hi Johan,
Did you set 'ExtendedProtectionTokenCheck ' from None to Allow or from Allow to Require?
This setting is here set to "Allow" and gives no authentication issues.Did you install the following security patch?
Maybe related to the issue you described, we enabled a security patch (https://support.microsoft.com/nl-nl/topic/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab) and perform the second step (set the registerkey 'PerformTicketSignature' to 1), after some time our Firefox users cannot signin anymore into sites through ADFS.
Sorry for the late response. I have received some more details from our sysadmin:
'ExtendedProtectionTokenCheck ' was changed from None to Allow (the Require option has not been tested)
The security patch mentioned was installed, but the registry keys are not created.
These two bullets in Rende's list also apply to our situation:
- Firefox installed on a domain-joined pc
- "Mozilla/5.0" is added (default(?)) in ADFS WIASupportedUserAgents
|
||
Comment 11•4 years ago
|
||
I can confirm this bug still exists, and that as per the timings of the CVE, this setting is now set to enforced, with no way around it: https://support.microsoft.com/en-us/topic/kb4598347-managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab
In our case it was enforcing kerberos auth only on the ADFS server that resulted in Firefox users getting broken authentication. The firefox client simply sits on the adfs page with the response in the URL in this format:
It would be nice to allow our firefox preferring folks to be able to use their preferred browser again - we use ADFS for authenticating various systems. They currently have to use Chrome or Edge Chromium. The thing that makes me especially sad is that this even works in IE.
Happy to help test and updates to this if someone wants to progress this one.
|
|
||
Comment 13•4 years ago
|
||
(In reply to Dragana Damjanovic [:dragana] from comment #12)
Mike, should we change priority for this?
Definitely. I tried to get some traction on it earlier this year but couldn't find the right people.
|
||
Comment 14•4 years ago
|
||
Jens, can you find someone to look into this? We might be able to reuse most of the code from bug 573043, but I have not look very closely.
|
|
||
Comment 16•4 years ago
|
||
Hey folks, any movement on this? In addition to our internal users experiencing this issue, we develop a web app and have now had reports from customers of similar issues with Firefox + ADFS, and have sadly had to let them know of this bug and that they'll need to use a browser other than Firefox if authenticating against ADFS. As I say, very happy to help in any testing, as would a number of our devs who greatly prefer Firefox.
|
||
Comment 17•4 years ago
|
||
We are also running into this at my workplace. A specific site works fine in Chrome but does not work at all in Firefox. Would be really sad to recommend people to switch.
I'd love to help testing if I can be of assistance.
|
||
Comment 18•3 years ago
|
||
I am also running into this at my workplace. +1 for fixing this issue.
|
||
Comment 19•3 years ago
|
||
Martinho offered to take a look.
|
||
Comment 20•3 years ago
|
||
Hi all,
Can anyone provide me access to or point to an example server (ideally pre-configured) to replicate this issue?
Also a mozregression range may be useful (?)
|
||
Updated•3 years ago
|
|
||
Comment 21•1 year ago
|
||
I have experienced this similar issue with Firefox after changing the ADFS SSL certificate to a SHA384 certificate. It seems like the issue was resolved for SHA256 SSL cert on the ADFS server.
|
||
Comment 22•1 year ago
|
||
(In reply to Dragana Damjanovic [:dragana] from comment #14)
Jens, can you find someone to look into this? We might be able to reuse most of the code from bug 573043, but I have not look very closely.
Looking at that code, it seems exactly what has to happen!
|
||
Comment 23•1 year ago
|
||
(In reply to Mervyn Morris from comment #21)
I have experienced this similar issue with Firefox after changing the ADFS SSL certificate to a SHA384 certificate. It seems like the issue was resolved for SHA256 SSL cert on the ADFS server.
Hi, could you try to capture a http log that shows this issue?
In about:logging, please select Logging to file and send the log file to necko@mozilla.com.
Thanks.
|
|
||
Comment 24•1 year ago
|
||
(In reply to Kershaw Chang [:kershaw] from comment #23)
(In reply to Mervyn Morris from comment #21)
I have experienced this similar issue with Firefox after changing the ADFS SSL certificate to a SHA384 certificate. It seems like the issue was resolved for SHA256 SSL cert on the ADFS server.
Hi, could you try to capture a http log that shows this issue?
Inabout:logging, please selectLogging to fileand send the log file to necko@mozilla.com.
Thanks.
Good day,
I do apologize but because this was our production environment we were forced to revert to a SHA256 SSL Cert which has allowed functionality for at least another year. I wouldn't be able to reproduce the issue at this moment.
|
|
||
Comment 25•1 year ago
|
||
Probably because the NTLM code for channel binding uses a fixed size for the hash; https://hg.mozilla.org/integration/mozilla-inbound/rev/e01dbdb4c7e1#l1.125
It's not necessarily related to this specific issue.
|
|
||
Comment 26•1 month ago
|
||
We will try to fix this in bug 1895277.
Description
•