Closed
Bug 1304194
Opened 9 years ago
Closed 7 years ago
CNAME alias and NTLM trusted-uris
Categories
(Core :: Networking, defect, P2)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: wehr, Unassigned)
Details
(Whiteboard: [necko-next])
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; InfoPath.3; vWorkspace; rv:11.0) like Gecko
Steps to reproduce:
I use Firefox 49 to access MS SharePoint.
SharePoint uses CNAME aliases like this:
sp.contoso.com (A Record)
site1.contoso.com (CNAME alias for sp.contoso.com)
site2.contoso.com (CNAME alias for sp.contoso.com)
I use NTLM and Windows saved credentials.
In Windows Vault i create only one entry for sp.contoso.com
Internet Explorer uses this entry for authentication for site1 and site2.
Actual results:
Default configuration: Password Prompt for site1. After "cancel" i see 401 not authorized what is the expected!
Configured:
"network.automatic-ntlm-auth.trusted-uris" "https://.contoso.com"
With this entry automatic athentication worked with older Firefox Versions and CNAME Alias site1. Now i see a password prompt. If i click cancel there is a blank page instead of "401".
Configured:
"network.negotiate-auth.trusted-uris" "https://.contoso.com"
Now automatic authentication works with CNAME alias and NTLM.
Expected results:
In short:
network.negotiate-auth.trusted-uris allows CNAME Alias for NTLM (no Kerberos involved)
network.automatic-ntlm-auth.trusted-uris does no longer work for CNAME Alias and NTLM in Firefox 49
Patrick, are you aware of any change in FF49 which might lead to that issue?
Flags: needinfo?(mcmanus)
|
||
Updated•9 years ago
|
Flags: needinfo?(mcmanus) → needinfo?(honzab.moz)
|
||
Comment 2•9 years ago
|
||
Markus, can you verify this is working on 48 [1] and find out if this is broken or not on 50 [2]?
Thanks.
[1] http://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-release-l10n/firefox-48.0.en-GB.win32.installer.exe (please pick whichever localization/language you need)
[2] http://ftp.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-15-57-15-mozilla-beta-l10n/firefox-50.0.en-GB.win32.installer.exe (same here)
Flags: needinfo?(honzab.moz) → needinfo?(wehr)
|
Reporter | |
Comment 3•9 years ago
|
||
I tried both Versions with the same results:
A. Setting network.automatic-ntlm-auth.trusted-uris
No password prompt but empty page without errors when opening CNAME Site. A-Record Site loads OK.
B. Setting network.negotiate-auth.trusted-uris
CNAME Site loads, A-Record site loads.
In all cases there are two 401 Responses.
followed by a 302 to Homepage.aspx only if the site loads.
A:
1. response :WWW-Authenticate:"NegotiateNTLM" (401)
2. request: Authorization:"NTLM TlRMTVN.." (401)
3. request: Authorization:"NTLM TlRMTVN......................." (302 only A-Record site loads)
B:
1. response :WWW-Authenticate:"NegotiateNTLM" (401)
2. request: Authorization:"Negotiate TlRMT.." (401)
3. request: Authorization:"Negotiate TlRMT......................" (302 all sites load)
(In reply to Honza Bambas (:mayhemer) from comment #2)
> Markus, can you verify this is working on 48 [1] and find out if this is
> broken or not on 50 [2]?
>
> Thanks.
>
> [1]
> http://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-release-l10n/
> firefox-48.0.en-GB.win32.installer.exe (please pick whichever
> localization/language you need)
> [2]
> http://ftp.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-15-57-15-
> mozilla-beta-l10n/firefox-50.0.en-GB.win32.installer.exe (same here)
Flags: needinfo?(wehr)
|
|
Reporter | |
Comment 4•9 years ago
|
||
additional info: Windows creates the vault-entry only for the A-Record. If I add a vault-entry for the CNAME site Firefox will pass through credentials with the "automatic-ntlm-auth" setting.
|
||
Updated•9 years ago
|
Whiteboard: [necko-next]
|
|
||
Comment 5•9 years ago
|
||
(In reply to Markus Wehr from comment #0)
> With this entry automatic athentication worked with older Firefox Versions
> and CNAME Alias site1. Now i see a password prompt. If i click cancel there
> is a blank page instead of "401".
Sorry for such a late answer here. Pretty busy these days.
In this comment you claim there used to be a version of Firefox that worked for you. Can you determine which one it was? It may help narrow further down. We have landed some changes in 48 that might influence NTLM, so that was my source for check of Firefox 48 and 49 against one another. But if 48 is broken as well, we need to look more into the past.
Also, have you changed other preferences around negotiate and ntlm auth? One example is network.auth.force-generic-ntlm but there are more. Best might be you send me content of about:support page, feel free to send it to my bugzilla email directly (may contain private data).
Thanks.
Flags: needinfo?(wehr)
|
|
Reporter | |
Comment 6•9 years ago
|
||
It seems to be a generic problem. Older Versions of Firefox Show the same behavior. Internet Explorer Shows a similar problem but only on some Clients: Internet Explorer Shows 2 Login Prompts if no entry in Windows-Vault is present but the Zone configured to automatically authenticate.
I will update here after investigating further.
|
|
||
Comment 7•9 years ago
|
||
Thanks Markus! The more information the more a chance to move forward here. Thank you.
|
||
Comment 8•8 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P2
|
|
||
Comment 9•7 years ago
|
||
If this is still a problem (blocking) then please feel free to reopen. It's hard to recognize if this is a Firefox bug or something else from the info in this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(wehr)
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•