Closed Bug 1303314 Opened 9 years ago Closed 7 years ago

network.automatic-ntlm-auth.allow-non-fqdn does not work

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Version:
63 Branch
Platform:
x86_64
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: brunis, Unassigned)

Details

(Whiteboard: [necko-triaged][ntlm][no-nag])

Attachments

(4 files, 4 obsolete files)

loading-ntlm-short-hostname-stalls.png
145.96 KB, image/png
Details
about-config-ntlm.png
73.58 KB, image/png
Details
loading-fqdn-hostname-stalls.png
84.42 KB, image/png
Details
log-main.4996.txt.zip
463.67 KB, application/x-zip-compressed
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160421124000 Steps to reproduce: set network.automatic-ntlm-auth.allow-non-fqdn to true Actual results: I am prompted for login credentials Expected results: Firefox should just use my credentials and log me in.
Severity: normal → minor
OS: Unspecified → Windows 10
Hardware: Unspecified → x86
Component: Untriaged → Networking
Product: Firefox → Core
Can you tell us which version of Firefox are you using? Can you check if it also happens with the latest nightly? http://nightly.mozilla.org/
Flags: needinfo?(brunis)
Whiteboard: [necko-next]
Attached image about-config-ntlm.png
Loading a short-host-name NTLM page in Nightly 56.0a1 (2017-07-04) (32-bit) for Windows always stalls after replacing my long list of trusted-uris with a couple domain names. The "loading-ntlm-short-hostname-stalls.png" screenshot shows that the browsers does not receive and/or display responses to requests for some of the page's resources where a 401 Unauthorized followed by an NTLM negotiation would normally take place. Opening the same page under the full host name worked.
Loading another page in the NTLM-protected sharepoint site just stalled on me again, despite my using a fully qualified domain name of the site.
The previous comment with a stalled FQDN hostname turned due to the site's database malfunctioning. I just got a response to my page load attempt: Unable to connect to database. Check database connection information and make sure the database server is running. Please ignore the previous comment. I figure only opening short host names after setting non-fqdn to true results in unexpected stalls. Thanks for understanding.
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P2
Closing as incomplete since we've received no input since the initial report.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Status: RESOLVED → UNCONFIRMED
Flags: needinfo?(brunis)
Resolution: INCOMPLETE → ---
Hardware: x86 → x86_64
Version: 46 Branch → 63 Branch
No URI's work. FQDN or non-FQDN both broken. Always prompted for credentials.
Hi Dennis, Could you try to capture a HTTP log for us? https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging Thanks.
Flags: needinfo?(brunis)
Yes, ofcourse
Flags: needinfo?(brunis)
Attached file log-main.12648.txt.zip (obsolete) —
Http log from visiting lan webserver with auth(saved credentials are prompted).
Attached file ff-winauth-sharepoint2013-failure.zip (obsolete) —
Http log for a winauth attempt against sharepoint 2013 with screenshot of a 401 in the network panel. Here it automatically authorizes, but apparently with some credentials that dont work.
Honza, could you take a look at the log? Thanks.
Flags: needinfo?(honzab.moz)
Yup, fresh info available, thanks for it!
Assignee: nobody → honzab.moz
Whiteboard: [necko-next] → [necko-next][ntlm]
Whiteboard: [necko-next][ntlm] → [necko-triaged][ntlm]
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Finally got back to this bug. Apparently, as seen in the log, we are failing somewhere at [1]. Dennis, I will ask you to capture the log once again with an added modules like this: negotiateauth:5,NTLM:5 it will hopefully help to spot the issue. Thanks! [1] https://searchfox.org/mozilla-central/rev/7f7c353e969e61a6a85201cc8ad3c3de12ac30d8/netwerk/protocol/http/nsHttpNTLMAuth.cpp#277-428 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::ProcessAuthentication [this=000001E0E685EC40 channel=000001E0E61E26F0 code=401 SSLConnectFailed=0] nsHttpChannel @1e0e61e2000 --> nsHttpChannelAuthProvider @1e0e685ec40 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::PrepareForAuthentication [this=000001E0E685EC40 channel=000001E0E61E26F0] 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp proxy continuation state has been reset 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::GetAuthenticator [this=000001E0E685EC40 channel=000001E0E61E26F0] 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::GetCredentialsForChallenge [this=000001E0E685EC40 channel=000001E0E61E26F0 proxyAuth=0 challenges=NTLM TlRMTVNTUAACAAAACAAIADgAAAAFgomi42fXUfxbUsMAAAAAAAAAAMgAyABAAAAABgGxHQAAAA9QAFIATwBEAAIACABQAFIATwBEAAEAGgBJAE4ATgBPAE0AQQBUAEUAUwBSAFYAMAAxAAQAIgBwAHIAbwBkAC4AaQBuAG4AbwBtAGEAdABlAC4AYwBvAG0AAwA+AEkATgBOAE8ATQBBAFQARQBTAFIAVgAwADEALgBwAHIAbwBkAC4AaQBuAG4AbwBtAGEAdABlAC4AYwBvAG0ABQAiAHAAcgBvAGQALgBpAG4AbgBvAG0AYQB0AGUALgBjAG8AbQAHAAgAXBDWtQVx1AEAAAAA] 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::GetIdentityFromURI [this=000001E0E685EC40 channel=000001E0E61E26F0] 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpAuthCache::GetAuthEntryForDomain [key=https://sp.innomate.com:-1 realm=] 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: V/nsHttp nsHttpNTLMAuth::ChallengeReceived [ss=0000000000000000 cs=000001E0CDE06480] 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp identity invalid = 0 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: D/nsHttp nsHttpChannel::ConnectionRestartable this=000001E0E61E2000, restartable=0 2018-10-31 10:37:24.756000 UTC - [Parent 12648: Main Thread]: V/nsHttp nsHttpNTLMAuth::GenerateCredentials 2018-10-31 10:37:24.760000 UTC - [Parent 12648: Main Thread]: D/nsHttp unable to authenticate 2018-10-31 10:37:24.760000 UTC - [Parent 12648: Main Thread]: D/nsHttp ProcessAuthentication failed [rv=80004005]
Flags: needinfo?(honzab.moz) → needinfo?(brunis)
Attached file log-main.5280.txt.zip (obsolete) —
fresh sharepoint auth attempt, with negotiateauth:5,NTLM:5
Attachment #9021454 - Attachment is obsolete: true
Flags: needinfo?(brunis)
(In reply to Dennis Jakobsen from comment #17) > Created attachment 9024652 [details] > log-main.5280.txt.zip > > fresh sharepoint auth attempt, with negotiateauth:5,NTLM:5 OK, I don't see any newly added lines from those two modules in the log. Anyway, looking deeper into the code tells me there are number of possible code paths leading to the error (NS_ERROR_FAILURE). Logs would probably narrow this down only marginally. I will need either of those to move on: - if this has worked on any older version of Firefox, please use mozregression to try to find the change that caused this bug, see [1] - provide a publicly available use case (probably not an option) - I will produce an instrumented build of Firefox with more logging added and ask you to run it in your environment [1] https://mozilla.github.io/mozregression/
(In reply to Honza Bambas (:mayhemer) from comment #18) > (In reply to Dennis Jakobsen from comment #17) > > Created attachment 9024652 [details] > > log-main.5280.txt.zip > > > > fresh sharepoint auth attempt, with negotiateauth:5,NTLM:5 > > OK, I don't see any newly added lines from those two modules in the log. > Anyway, looking deeper into the code tells me there are number of possible > code paths leading to the error (NS_ERROR_FAILURE). Logs would probably > narrow this down only marginally. > > I will need either of those to move on: > - if this has worked on any older version of Firefox, please use > mozregression to try to find the change that caused this bug, see [1] > - provide a publicly available use case (probably not an option) > - I will produce an instrumented build of Firefox with more logging added > and ask you to run it in your environment > > [1] https://mozilla.github.io/mozregression/ Me neither, i was seeing less detail and no mention of the hostname i was resolving/visiting. Could probably file 10 bugs for that about:network interface alone..
Attached file log-main.11496.txt.zip (obsolete) —
Attachment #9021452 - Attachment is obsolete: true
Attachment #9024652 - Attachment is obsolete: true
(In reply to Dennis Jakobsen from comment #19) > Could probably file 10 bugs for that about:network interface alone.. :D (In reply to Dennis Jakobsen from comment #20) > Created attachment 9025868 [details] > log-main.11496.txt.zip Thanks! This actually shows the origin of the problem: InitializeSecurityContext fails with SEC_E_TARGET_UNKNOWN, -2146893053 = 0x80090303. I think the solution is here: https://social.technet.microsoft.com/Forums/en-US/d8d9766c-fc4d-43ea-a8b4-762347f6844c/initialisesecuritycontext-failed-error-code-2146893053-secetargetunknown?forum=winserverDS """ i have finally found the missing bit. All i had to do was register an SPN for the user who is running proxyServer and then give him rights for delegation the client's credentials for RemoteServer. """ Please try to fix this on your side and if it works, let's close this bug as INVALID. Thanks again for the logs.
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
For ref, the log from comment 20 shows: 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::PrepareForAuthentication [this=0000020625DF0B50 channel=000002062A2BB6F0] 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::GetAuthenticator [this=0000020625DF0B50 channel=000002062A2BB6F0] 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::GetCredentialsForChallenge [this=0000020625DF0B50 channel=000002062A2BB6F0 proxyAuth=0 challenges=NTLM <redacted>] 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp nsHttpChannelAuthProvider::GetIdentityFromURI [this=0000020625DF0B50 channel=000002062A2BB6F0] 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp nsHttpAuthCache::GetAuthEntryForDomain [key=https://sp.innomate.com:-1 realm=] 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: V/nsHttp nsHttpNTLMAuth::ChallengeReceived [ss=0000000000000000 cs=0000020625D10920] 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp identity invalid = 0 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/nsHttp nsHttpChannel::ConnectionRestartable this=000002062A2BB000, restartable=0 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: V/nsHttp nsHttpNTLMAuth::GenerateCredentials 2018-11-17 12:13:40.394000 UTC - [Parent 11496: Main Thread]: D/negotiateauth entering nsAuthSSPI::GetNextToken() 2018-11-17 12:13:40.398000 UTC - [Parent 11496: Main Thread]: D/negotiateauth InitializeSecurityContext failed [rc=-2146893053:] *) 2018-11-17 12:13:40.398000 UTC - [Parent 11496: Main Thread]: D/nsHttp unable to authenticate 2018-11-17 12:13:40.398000 UTC - [Parent 11496: Main Thread]: D/nsHttp ProcessAuthentication failed [rv=80004005] *) https://searchfox.org/mozilla-central/rev/5117a4c4e29fcf80a627fecf899a62f117368abf/extensions/auth/nsAuthSSPI.cpp#498
Dennis, please see comment 21.
Flags: needinfo?(brunis)
(In reply to Honza Bambas (:mayhemer) from comment #21) > (In reply to Dennis Jakobsen from comment #19) > > Could probably file 10 bugs for that about:network interface alone.. > > :D > > (In reply to Dennis Jakobsen from comment #20) > > Created attachment 9025868 [details] > > log-main.11496.txt.zip > > Thanks! This actually shows the origin of the problem: > InitializeSecurityContext fails with SEC_E_TARGET_UNKNOWN, -2146893053 = > 0x80090303. I think the solution is here: > > https://social.technet.microsoft.com/Forums/en-US/d8d9766c-fc4d-43ea-a8b4- > 762347f6844c/initialisesecuritycontext-failed-error-code-2146893053- > secetargetunknown?forum=winserverDS > > """ > i have finally found the missing bit. All i had to do was register an SPN > for the user who is running proxyServer and then give him rights for > delegation the client's credentials for RemoteServer. > """ > > Please try to fix this on your side and if it works, let's close this bug as > INVALID. Thanks again for the logs. Wait, what?
Flags: needinfo?(brunis)
What exactly do you need to explain?
Sorry, maybe the piece that was not clear was that the issue was in the environment (your intranet) and not exactly in Firefox. Now I recall there is no proxy involved in your case, which the forum post I refer deals with. I may need to look more in depth for the cause of SEC_E_TARGET_UNKNOWN returned from InitializeSecurityContext then. Feel free to google as well on that topic or refer this issue (comment 21 of this bug) to your IT department.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Flags: needinfo?(brunis)
(In reply to Honza Bambas (:mayhemer) from comment #26) > Sorry, maybe the piece that was not clear was that the issue was in the > environment (your intranet) and not exactly in Firefox. > > Now I recall there is no proxy involved in your case, which the forum post I > refer deals with. I may need to look more in depth for the cause of > SEC_E_TARGET_UNKNOWN returned from InitializeSecurityContext then. Feel > free to google as well on that topic or refer this issue (comment 21 of this > bug) to your IT department. I dont have an IT department. I'm just here with my trusty desktop pc connected directly to my fiber provider's modem. No proxy settings in Firefox or any other browser. I was a bit hazy on how we could make Firefox work by sorting out a .NET remoting coding problem locally?
Flags: needinfo?(brunis)
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Status: ASSIGNED → UNCONFIRMED
Ever confirmed: false
Whiteboard: [necko-triaged][ntlm] → [necko-triaged][ntlm][no-nag]
Andrew, in case it's easy for you, can you quickly overlook this and maybe have a clue or tip? I think this has something to do with SPN. The error is: InitializeSecurityContext fails with SEC_E_TARGET_UNKNOWN, -2146893053 = 0x80090303 while processing Type 2 message: WWW-Authenticate: NTLM TlRMTVNTUAACAAAACAAIADgAAAAFgomi2VKeFIvY5Z4AAAAAAAAAAMgAyABAAAAABgGxHQAAAA9QAFIATwBEAAIACABQAFIATwBEAAEAGgBJAE4ATgBPAE0AQQBUAEUAUwBSAFYAMAAxAAQAIgBwAHIAbwBkAC4AaQBuAG4AbwBtAGEAdABlAC4AYwBvAG0AAwA+AEkATgBOAE8ATQBBAFQARQBTAFIAVgAwADEALgBwAHIAbwBkAC4AaQBuAG4AbwBtAGEAdABlAC4AYwBvAG0ABQAiAHAAcgBvAGQALgBpAG4AbgBvAG0AYQB0AGUALgBjAG8AbQAHAAgARU45+m5+1AEAAAAA from https://sp.innomate.com/default.aspx Dennis, I'm not sure why you change the pref network.automatic-ntlm-auth.allow-non-fqdn to true to allow authentication to this particular domain. The sp.innomate.com is a fqdn. Maybe add the domain to the list of network.automatic-ntlm-auth.trusted-uris if you really trust that domain to know the credentials you log in to your Windows local account? This is actually a pretty dangerous thing to do, do you actually know what you are doing? Also your report says you get a credentials prompt instead of automatically logging you in with your local credentials. But in any of the logs I don't see anything like that happening.
Flags: needinfo?(brunis)
Flags: needinfo?(abartlet)
(In reply to Honza Bambas (:mayhemer) from comment #29) > Dennis, I'm not sure why you change the pref > network.automatic-ntlm-auth.allow-non-fqdn to true to allow authentication > to this particular domain. The sp.innomate.com is a fqdn. Maybe add the > domain to the list of network.automatic-ntlm-auth.trusted-uris if you really > trust that domain to know the credentials you log in to your Windows local > account? This is actually a pretty dangerous thing to do, do you actually > know what you are doing? > > Also your report says you get a credentials prompt instead of automatically > logging you in with your local credentials. But in any of the logs I don't > see anything like that happening. Yes, i know what i'm doing. I'm employed at Innomate and i'm the system administrator there. It's not a big deal, i just noticed that setting was broken, so i reported it. I *have* that hostname in trusted uri's, it still prompts. Allowing non-fqdn's used to make the prompt disappear and just fail. That is the whole issue. Maybe i explained it poorly? In latest nightly it always prompts now. I'll file a seperate bug for network.automatic-ntlm-auth.trusted-uris, because that is broken too. I apologize i was distracted and gave you an fqdn example when this particular bug was about non-fqdn auto signin. I'll trace another example from the lan.
Flags: needinfo?(brunis)
Attached file log-main.4996.txt.zip
Visiting http://linaro:9091 (Transmission Web with auth), having both non-fqdn enabled and http://linaro in trusted uri's .. still prompts.
Attachment #9025868 - Attachment is obsolete: true
This looks like interactions of the windows 'trusted sites' rather than a firefox restriction. InitializeSecurityContext is the Windows API that Firefox uses to get single sign on NTLM (in particular).
Flags: needinfo?(abartlet)
Thanks Andrew. This less and less looks like a Firefox issue to me. Closing as invalid.
Assignee: honzab.moz → nobody
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: