Closed Bug 1216649 Opened 6 years ago Closed 4 years ago

Office 365 smart card auth prompt not working in Windows 10 since FF40

Categories

(Core :: Security: PSM, defect)

41 Branch
Unspecified
Windows 10
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1120350
Tracking Status
firefox41 --- affected

People

(Reporter: seanmcne, Unassigned, NeedInfo)

References

Details

(Whiteboard: [psm-smartcard])

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151014143721

Steps to reproduce:

Login to Office 365 using smartcard login 


Actual results:

No smartcard prompt ever appears to login with


Expected results:

A smartcard dialog should be launched asking which smartcard to login with
Priority: -- → P2
Thanks for reporting this problem. So smartcard login worked correctly in FF40 and stopped working in FF41?

What smartcard reader software are you using? Do you use smartcard login on any other websites besides Office 365?

Can you please copy and paste your Firefox's "Troubleshooting Information"? This will include information about plugins that will be useful for diagnosing the problem. Here are instructions:

https://support.mozilla.org/en-US/kb/use-troubleshooting-information-page-fix-firefox

I wonder if this problem is related to async plugin initialization (bug 1195607).
or https://www.fxsitecompat.com/en-US/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ?

Anyways both issues have already been fixed with Firefox 41 so we need the exact info on what's happening on which version.
Apologies for the delay in response, here are the steps that I've used in both FF40 and FF41 that fail to produce a smartcard selector/prompt: 

1. navigate to office 365 or page that prompts for SC verification 
2. When pressing the smartcard sign in button the page posts back and I see an indication from the site to select a smart card but nothing ever appears. 

I've attempted using safe mode, etc - but neither ever shows me a selection box for smartcards. It should be noted I'm on the latest released build of windows 10 (not in any slow or fast rings, just RTM + Patches).  Unfortunately, I just started using FF in 40 and it has not worked for me since then.  Smartcard selection does function properly in Chrome, IE, and Edge.  I also can confirm another coworker using FF also can reproduce the issue with FF40 and 41. 


Application Basics
------------------

Name: Firefox
Version: 41.0.2
Build ID: 20151014143721
Update Channel: release
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Multiprocess Windows: 0/1 (default: false)

Crash Reports for the Last 3 Days
---------------------------------

All Crash Reports

Extensions
----------

Name: FiddlerHook
Version: 2.5.1.8
Enabled: false
ID: fiddlerhook@fiddler2.com

Name: LastPass
Version: 3.2.21
Enabled: false
ID: support@lastpass.com

Name: uBlock Origin
Version: 1.3.1
Enabled: false
ID: uBlock0@raymondhill.net

Graphics
--------

Adapter Description: NVIDIA NVS 4200M
Adapter Description (GPU #2): Intel(R) HD Graphics 3000
Adapter Drivers: nvd3dumx,nvwgf2umx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um,nvwgf2um
Adapter Drivers (GPU #2): igdumd64 igd10umd64 igd10umd64 igdumd32 igd10umd32 igd10umd32
Adapter RAM: 512
Adapter RAM (GPU #2): Unknown
Asynchronous Pan/Zoom: none
Device ID: 0x1056
Device ID (GPU #2): 0x0126
DirectWrite Enabled: false (10.0.10240.16430)
Driver Date: 7-22-2015
Driver Date (GPU #2): 5-27-2015
Driver Version: 10.18.13.5362
Driver Version (GPU #2): 9.17.10.4229
GPU #2 Active: false
GPU Accelerated Windows: 0/1 Basic (OMTC)
Subsys ID: 14931028
Subsys ID (GPU #2): 0000000c
Supports Hardware H264 Decoding: false
Vendor ID: 0x10de
Vendor ID (GPU #2): 0x8086
windowLayerManagerRemote: true
AzureCanvasBackend: skia
AzureContentBackend: cairo
AzureFallbackCanvasBackend: cairo
AzureSkiaAccelerated: 0

Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.hashstats_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.cache.frecency_experiment: 4
browser.download.importedFromSqlite: true
browser.places.smartBookmarksVersion: 7
browser.sessionstore.upgradeBackup.latestBuildID: 20151014143721
browser.startup.homepage: https://www.bing.com/
browser.startup.homepage_override.buildID: 20151014143721
browser.startup.homepage_override.mstone: 41.0.2
dom.apps.reset-permissions: true
dom.mozApps.used: true
extensions.lastAppVersion: 41.0.2
gfx.direct3d.last_used_feature_level_idx: 0
gfx.driver-init.appVersion: 41.0.2
gfx.driver-init.deviceID: 0x1056
gfx.driver-init.driverVersion: 10.18.13.5362
gfx.driver-init.feature-d2d: true
gfx.driver-init.feature-d3d11: true
gfx.driver-init.status: 2
media.gmp-eme-adobe.lastUpdate: 1444656026
media.gmp-eme-adobe.version: 13
media.gmp-gmpopenh264.lastUpdate: 1441807489
media.gmp-gmpopenh264.version: 1.4
media.gmp-manager.buildID: 20151014143721
media.gmp-manager.lastCheck: 1445520085
media.hardware-video-decoding.failed: false
network.auth.allow-subresource-auth: 2
network.cookie.prefsMigrated: true
network.predictor.cleaned-up: true
places.database.lastMaintenance: 1445287748
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
privacy.sanitize.migrateFx3Prefs: true
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1444659643

Important Locked Preferences
----------------------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.10.8
Version in use: 4.10.8

NSS
Expected minimum version: 3.19.2 Basic ECC
Version in use: 3.19.2 Basic ECC

NSSSMIME
Expected minimum version: 3.19.2 Basic ECC
Version in use: 3.19.2 Basic ECC

NSSSSL
Expected minimum version: 3.19.2 Basic ECC
Version in use: 3.19.2 Basic ECC

NSSUTIL
Expected minimum version: 3.19.2
Version in use: 3.19.2

Experimental Features
---------------------
FYI I'm not even getting prompted to select a smartcard - also a virtual smartcard would work for this as well as physical.  I would expect to see a smartcard auth prompt (asking me to select a SC) but this never appears. I was able to repro on 40 and 41 now.
(In reply to seanmcne from comment #4)
> FYI I'm not even getting prompted to select a smartcard - also a virtual
> smartcard would work for this as well as physical.

Is the virtual smartcard software built into Windows or is it a third-party application? I have a Windows 10 VM I can try testing.
Component: Untriaged → Security: PSM
OS: Unspecified → Windows 10
Priority: P2 → --
Product: Firefox → Core
Summary: Smartcard auth prompt not working since FF40 → Office 365 smartcard auth prompt not working in Windows 10 since FF40
David, does this smart card failure look like a Firefox regression or a Windows 10 compat issue?
Flags: needinfo?(dkeeler)
Summary: Office 365 smartcard auth prompt not working in Windows 10 since FF40 → Office 365 smart card auth prompt not working in Windows 10 since FF40
I can't think of anything that changed in 40 that would affect this, but then again there aren't many tests, so this certainly could have broken without us knowing. Is there a publicly-accessible URL we can reproduce the issue on?
Flags: needinfo?(dkeeler) → needinfo?(seanmcne)
Can you try the following URL?
https://msft.sts.microsoft.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=test

This URL was reached by trying to log to office365 (https://login.microsoftonline.com/) using the user name 'example@microsoft.com' and removing all extra arguments

If this one isn't a good example - let me know and I'll search for another one
Thanks for the reply this fell completely off my radar as I've just been avoiding Smart Card login due to the issue.  

I can easily repro with that URL & login name as well. 

1. Go to that url
2. Enter example@microsoft.com
3. Click Sign In With Smartcard button 

Actual Result:
- Nothing happens 

Expected result: 
- Smart card dialog box to select the appropriate virtual or physical smartcard appears
Flags: needinfo?(seanmcne)
Whiteboard: [psm-smartcard]
A friend of mine who works at Microsoft is experiencing the same problem. He said that their company internal authentication using a virtual smart card *used* to work with Firefox but since he updated, he no longer gets the Smart Card dialog. Instead, nothing happens.

I guess this is a real (and severe) regression, affecting mostly company/corporate users.

If you need more information, please needinfo? on me, and I'll forward.
Forgot to add: We tested this on Windows Server 2012 R2 (based on Windows 8) and on Windows 10. Same result on both.
Presumably the virtual smart card requires loading a pkcs#11 module into Firefox? If so, what is it/where can I get a copy? Also, are there publicly-accessible URLs the issue can be reproduced on?
Flags: needinfo?(choller)
Hi David,

Here is how to reproduce (copied from Sean's comment) -

1. Go to https://login.microsoftonline.com/
2. Enter example@microsoft.com as a user name
3. Click the password text box (at this point, you will be redirected to another site)
3. Click "Sign In With PIN or Smartcard" button 

Actual Result:
- Nothing happens 

Expected result: 
- Smart card dialog box to select the appropriate virtual or physical smartcard appears
After following those directions, I don't see any popup in either recent versions of Firefox or versions before 40.
shynahum, do you have any PKCS#11 modules installed? (Preferences -> Advanced -> Certificates -> Security Devices)
Flags: needinfo?(shynahum)
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
I've tried older versions of FF (as old as Firefox 30), and saw that I don't get the pop-up.
It used to work in the past, so my current assumption is that something on our side might have changed.

I don't have any special PKCS#11 modules installed.
The ones I have are:
* Generic Crypto Devices
* Software Security Device
* Builtin Object token

The all have 'Mozilla*' listed as their manufacturer, so I'm assuming these are the default ones that come with Firefox.
Flags: needinfo?(shynahum)
I happen to work for Microsoft, and this problem is still happening. I can produce some screenshots if needed.

Reproduce:
Login to any website that uses Azure AD (O365) to authenticate > sign in with work or school account > enter @microsoft.com credential > redirect to corporate ADFS > Chose Sign in with PIN or Smartcard > Error
Screenshots would be great. Do you have any 3rd-party PKCS#11 modules installed? Also, do you have a master password set?
Flags: needinfo?(kennethteo)
Attached image Error state
This is the final state of the error, after a certificate provider could not be located.
Attached image PIN select phase
After clicking the button, a dialog should appear to allow the user to select a certificate. However, the window never appears.
Attached image Sign-in request page
This is the first request to log in. If the user clicks the "Sign in with PIN or smartcard" button, the request will fail. Once the button is clicked, the browser remembers your choice for subsequent attempts. You will need to restart Firefox completely to try again with other options.
This is the expected result, as shown in Chrome.
PS: I have no 3rd-party PKCS#11 modules loaded, just what is supplied by Windows 10 by default. If there is some magic that I can do with about:config I would love to know about it. This is the #1 complaint I have with Firefox right now and would love to see it fixed soon.
Reopening this based on the new info we have.

David, can you do something with this information? It would be great to get this fixed finally. I have heard quite a few people complain about this before. Thanks!
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(choller) → needinfo?(dkeeler)
Resolution: INCOMPLETE → ---
jsuddsjr, in Firefox's certificate manager (preferences -> search for "Certificates" -> "View Certificates"), is anything listed in the "your certificates" section?
Flags: needinfo?(dkeeler) → needinfo?(jsuddsjr)
Nothing. Should there be?
Since Firefox doesn't use the Windows certificate store for client certificates, if you haven't imported a client certificate into Firefox, it can't use it. If you have a client certificate in Windows, you'll have to export it as a PKCS#12 file and import it into Firefox.
So, Firefox since version 49 manages to locate CA certs with "security.enterprise_roots.enabled", but still does not trust client authentication certs from the same place? I looked in my cert store and could not found anything remotely resembling Windows Hello PIN. What is your next suggestion?
Flags: needinfo?(jsuddsjr)
"security.enterprise_roots.enabled" doesn't affect client certificates, so that won't help.
I think you'll have to somehow figure out what client certificate e.g. Edge is presenting to the website, export that as a PKCS#12 file and import it into Firefox.
Did you manage to locate the client certificate? (see comment 28)
Flags: needinfo?(jsuddsjr)
Hi David, I tried to do what you have suggested (comment 28) but the certificate used in this scenario has its private key marked as not exportable. It is preventing me to import the certificate with its associated private key into Firefox.
Did this feature ever work for you in Firefox?
Flags: needinfo?(deividfoggi)
Prior to logging this bug 3 years ago this did work for me (i believe on FF39), it stopped working in a FF update released prior to logging it.  I logged it as I could non longer use smartcard login with FF.  Since then I've uninstalled and stopped using FF as I can't login this way anymore. 

I just reinstalled FF now and tried it again with the latest version - even though I'm able to login with a Windows Hello Smartcard (as well as a physical smartcard) using Edge, IE, and Chrome, firefox won't show me the prompt to select my smartcard for login.  

When a site in FF prompts for a smartcard login does FF look at the users personal store for certificates of the requested type? 

Thanks!
When Firefox connects to a site that requests a client certificate, Firefox looks for client certificates that have been imported into the user's Firefox profile and any that are available via PKCS#11 modules that have been added to the user's profile. It does not (and has never been able to) directly look for client certificates that may be available via Windows APIs. I know of at least one PKCS#11 module that purports to expose Windows client certificates to Firefox, but I don't believe it was ever shipped with Firefox. If you can get the prompt to come up with an old version of Firefox, can you go to Preferences -> Advanced -> Certificates -> Security Devices and list what you see there? Thanks!
Flags: needinfo?(seanmcne)
Hi David,

I clearly understand why it is not working. Considering that Firefox is my first choice and I work daily with apps that trust in Azure Multi-Factor Authentication which is the PIN Auth that we are arguing is not working, and also considering that there are a considerably number of users including those in enterprise environments that like and trust Firefox as their primary browser. With that said, the question is: Is there something that Mozilla could do in order to have this scenario work? At least discuss internally how relevant would be? I confirmed that it is working in IE, Edge and Chrome but I and many users prefer Firefox and would be awesome to have this feature working here.

Thanks.
Flags: needinfo?(deividfoggi)
Historically we haven't invested much in enterprise-focused features, but that's been changing lately, so there's a chance this will work in the future (see bug 1120350), but I don't want to mislead you - client certificates are fundamentally problematic from a privacy perspective and the UX is hard to get right. Coupled with that only a small percentage of users use them and that there are more compelling solutions that we're working on right now (namely webauthn), it's hard to justify improvements here. I know that's disappointing to hear, but again, I don't want to give you unrealistic expectations.
Status: REOPENED → RESOLVED
Closed: 6 years ago4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1120350
You need to log in before you can comment on or make changes to this bug.