Closed Bug 1216649 Opened 6 years ago Closed 4 years ago
Office 365 smart card auth prompt not working in Windows 10 since FF40
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20151014143721 Steps to reproduce: Login to Office 365 using smartcard login Actual results: No smartcard prompt ever appears to login with Expected results: A smartcard dialog should be launched asking which smartcard to login with
Thanks for reporting this problem. So smartcard login worked correctly in FF40 and stopped working in FF41? What smartcard reader software are you using? Do you use smartcard login on any other websites besides Office 365? Can you please copy and paste your Firefox's "Troubleshooting Information"? This will include information about plugins that will be useful for diagnosing the problem. Here are instructions: https://support.mozilla.org/en-US/kb/use-troubleshooting-information-page-fix-firefox I wonder if this problem is related to async plugin initialization (bug 1195607).
or https://www.fxsitecompat.com/en-US/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ? Anyways both issues have already been fixed with Firefox 41 so we need the exact info on what's happening on which version.
FYI I'm not even getting prompted to select a smartcard - also a virtual smartcard would work for this as well as physical. I would expect to see a smartcard auth prompt (asking me to select a SC) but this never appears. I was able to repro on 40 and 41 now.
(In reply to seanmcne from comment #4) > FYI I'm not even getting prompted to select a smartcard - also a virtual > smartcard would work for this as well as physical. Is the virtual smartcard software built into Windows or is it a third-party application? I have a Windows 10 VM I can try testing.
Component: Untriaged → Security: PSM
OS: Unspecified → Windows 10
Priority: P2 → --
Product: Firefox → Core
Summary: Smartcard auth prompt not working since FF40 → Office 365 smartcard auth prompt not working in Windows 10 since FF40
David, does this smart card failure look like a Firefox regression or a Windows 10 compat issue?
Summary: Office 365 smartcard auth prompt not working in Windows 10 since FF40 → Office 365 smart card auth prompt not working in Windows 10 since FF40
I can't think of anything that changed in 40 that would affect this, but then again there aren't many tests, so this certainly could have broken without us knowing. Is there a publicly-accessible URL we can reproduce the issue on?
Flags: needinfo?(dkeeler) → needinfo?(seanmcne)
Can you try the following URL? https://msft.sts.microsoft.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=test This URL was reached by trying to log to office365 (https://login.microsoftonline.com/) using the user name 'email@example.com' and removing all extra arguments If this one isn't a good example - let me know and I'll search for another one
Thanks for the reply this fell completely off my radar as I've just been avoiding Smart Card login due to the issue. I can easily repro with that URL & login name as well. 1. Go to that url 2. Enter firstname.lastname@example.org 3. Click Sign In With Smartcard button Actual Result: - Nothing happens Expected result: - Smart card dialog box to select the appropriate virtual or physical smartcard appears
A friend of mine who works at Microsoft is experiencing the same problem. He said that their company internal authentication using a virtual smart card *used* to work with Firefox but since he updated, he no longer gets the Smart Card dialog. Instead, nothing happens. I guess this is a real (and severe) regression, affecting mostly company/corporate users. If you need more information, please needinfo? on me, and I'll forward.
Forgot to add: We tested this on Windows Server 2012 R2 (based on Windows 8) and on Windows 10. Same result on both.
Presumably the virtual smart card requires loading a pkcs#11 module into Firefox? If so, what is it/where can I get a copy? Also, are there publicly-accessible URLs the issue can be reproduced on?
Hi David, Here is how to reproduce (copied from Sean's comment) - 1. Go to https://login.microsoftonline.com/ 2. Enter email@example.com as a user name 3. Click the password text box (at this point, you will be redirected to another site) 3. Click "Sign In With PIN or Smartcard" button Actual Result: - Nothing happens Expected result: - Smart card dialog box to select the appropriate virtual or physical smartcard appears
After following those directions, I don't see any popup in either recent versions of Firefox or versions before 40. shynahum, do you have any PKCS#11 modules installed? (Preferences -> Advanced -> Certificates -> Security Devices)
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
I've tried older versions of FF (as old as Firefox 30), and saw that I don't get the pop-up. It used to work in the past, so my current assumption is that something on our side might have changed. I don't have any special PKCS#11 modules installed. The ones I have are: * Generic Crypto Devices * Software Security Device * Builtin Object token The all have 'Mozilla*' listed as their manufacturer, so I'm assuming these are the default ones that come with Firefox.
I happen to work for Microsoft, and this problem is still happening. I can produce some screenshots if needed. Reproduce: Login to any website that uses Azure AD (O365) to authenticate > sign in with work or school account > enter @microsoft.com credential > redirect to corporate ADFS > Chose Sign in with PIN or Smartcard > Error
Screenshots would be great. Do you have any 3rd-party PKCS#11 modules installed? Also, do you have a master password set?
This is the final state of the error, after a certificate provider could not be located.
After clicking the button, a dialog should appear to allow the user to select a certificate. However, the window never appears.
This is the first request to log in. If the user clicks the "Sign in with PIN or smartcard" button, the request will fail. Once the button is clicked, the browser remembers your choice for subsequent attempts. You will need to restart Firefox completely to try again with other options.
This is the expected result, as shown in Chrome.
PS: I have no 3rd-party PKCS#11 modules loaded, just what is supplied by Windows 10 by default. If there is some magic that I can do with about:config I would love to know about it. This is the #1 complaint I have with Firefox right now and would love to see it fixed soon.
Reopening this based on the new info we have. David, can you do something with this information? It would be great to get this fixed finally. I have heard quite a few people complain about this before. Thanks!
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(choller) → needinfo?(dkeeler)
Resolution: INCOMPLETE → ---
jsuddsjr, in Firefox's certificate manager (preferences -> search for "Certificates" -> "View Certificates"), is anything listed in the "your certificates" section?
Flags: needinfo?(dkeeler) → needinfo?(jsuddsjr)
Nothing. Should there be?
Since Firefox doesn't use the Windows certificate store for client certificates, if you haven't imported a client certificate into Firefox, it can't use it. If you have a client certificate in Windows, you'll have to export it as a PKCS#12 file and import it into Firefox.
So, Firefox since version 49 manages to locate CA certs with "security.enterprise_roots.enabled", but still does not trust client authentication certs from the same place? I looked in my cert store and could not found anything remotely resembling Windows Hello PIN. What is your next suggestion?
"security.enterprise_roots.enabled" doesn't affect client certificates, so that won't help. I think you'll have to somehow figure out what client certificate e.g. Edge is presenting to the website, export that as a PKCS#12 file and import it into Firefox.
Did you manage to locate the client certificate? (see comment 28)
Hi David, I tried to do what you have suggested (comment 28) but the certificate used in this scenario has its private key marked as not exportable. It is preventing me to import the certificate with its associated private key into Firefox.
Did this feature ever work for you in Firefox?
Prior to logging this bug 3 years ago this did work for me (i believe on FF39), it stopped working in a FF update released prior to logging it. I logged it as I could non longer use smartcard login with FF. Since then I've uninstalled and stopped using FF as I can't login this way anymore. I just reinstalled FF now and tried it again with the latest version - even though I'm able to login with a Windows Hello Smartcard (as well as a physical smartcard) using Edge, IE, and Chrome, firefox won't show me the prompt to select my smartcard for login. When a site in FF prompts for a smartcard login does FF look at the users personal store for certificates of the requested type? Thanks!
When Firefox connects to a site that requests a client certificate, Firefox looks for client certificates that have been imported into the user's Firefox profile and any that are available via PKCS#11 modules that have been added to the user's profile. It does not (and has never been able to) directly look for client certificates that may be available via Windows APIs. I know of at least one PKCS#11 module that purports to expose Windows client certificates to Firefox, but I don't believe it was ever shipped with Firefox. If you can get the prompt to come up with an old version of Firefox, can you go to Preferences -> Advanced -> Certificates -> Security Devices and list what you see there? Thanks!
Hi David, I clearly understand why it is not working. Considering that Firefox is my first choice and I work daily with apps that trust in Azure Multi-Factor Authentication which is the PIN Auth that we are arguing is not working, and also considering that there are a considerably number of users including those in enterprise environments that like and trust Firefox as their primary browser. With that said, the question is: Is there something that Mozilla could do in order to have this scenario work? At least discuss internally how relevant would be? I confirmed that it is working in IE, Edge and Chrome but I and many users prefer Firefox and would be awesome to have this feature working here. Thanks.
Historically we haven't invested much in enterprise-focused features, but that's been changing lately, so there's a chance this will work in the future (see bug 1120350), but I don't want to mislead you - client certificates are fundamentally problematic from a privacy perspective and the UX is hard to get right. Coupled with that only a small percentage of users use them and that there are more compelling solutions that we're working on right now (namely webauthn), it's hard to justify improvements here. I know that's disappointing to hear, but again, I don't want to give you unrealistic expectations.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1120350
You need to log in before you can comment on or make changes to this bug.