Authentication required popup because of connection closing in the middle of NTLM/Negotiate negotiation
Categories
(Core :: Networking: HTTP, defect, P2)
Tracking
()
People
(Reporter: marco.habegger, Unassigned)
Details
(Whiteboard: [necko-triaged][ntlm])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
Steps to reproduce:
- Firefox ESR 60.5.2
- Configure NTLM for on-prem SharePoint (2013) sites
- Configure SPNEGO for on-prem SAP Web Portal (Fiori)
- Open SAP Web Portal and an app or two (doesn't matter)
Actual results:
After a while or a Firefox Restart, on every site I visit, Firefox prompts me for authentication (multiple times). On internal sites (which should be automatically authenticated over NTML (which worked fine before accessing SAP)) it says "Authentication required for app.domain.local" and for external sites (Google.com or Mozilla.org) "Authentication required for PROXYSERVER". Cancleing results in the sites not working.
Expected results:
SSO should still be used for every site like it did before accessing SAP Web Portal
Comment 1•6 years ago
|
||
Hi @marco.habegger, for this issue I will set a component; is over my hand to handle it. So I guess someone from dev's team could give us a hand to verify the described scenario.
Thanks
Comment 3•6 years ago
|
||
I'd like to get more information.
Does it happen in recently ESR update?
Is it possible to try if nightly works or not?
Reporter | ||
Comment 4•6 years ago
|
||
Thanks for your replies.
I recently updated to 60.6.0esr (64-Bit) and so far haven't had any issues. I asked my colleagues to update aswell: One of them still received the popups but if the solution is to delete the "places.sqlite" once after the update, that's fine for me. I will keep an eye on the others' browsers and reply again once I can give a concrete answer.
I also installed the latest version of Nightly I could find (the web installer doesn't work in my corporate network) and was able to reproduce the error. I hope later updates for ESR won't unfix this issue.
Comment 5•6 years ago
|
||
Hi @Junior, based on the comment 4 should we modify the status of this issue or there are more info's or cases to investigate?
Comment 6•6 years ago
|
||
Please reopen if more help is needed
Reporter | ||
Comment 7•6 years ago
|
||
It seems to have been fixed, but multiple users including myself are still getting these promts in the latest 60.6.1esr (64-Bit) release. I think it happened to me again after updating from 60.6.0 to 60.6.1. Maybe this helps.
Let me know if you need further Information.
Comment 8•6 years ago
|
||
The priority flag is not set for this bug.
:mayhemer, could you have a look please?
Comment 9•6 years ago
|
||
This could be a duplicate of (already fixed) bug 1520125 and a followup to it, bug 1538737. I intend to work on the second one soon. I'll provide test builds when available.
Reporter | ||
Comment 10•6 years ago
|
||
As far as I've understood those two bug reports, they are not about the same problem. We encounter this behaviour only after any SAP web portal page was opened not every single time. Our proxy settings work just fine.
Updated•6 years ago
|
Updated•6 years ago
|
Comment 11•6 years ago
|
||
(In reply to marco.habegger from comment #10)
As far as I've understood those two bug reports, they are not about the same problem. We encounter this behaviour only after any SAP web portal page was opened not every single time. Our proxy settings work just fine.
I somehow translated "SAP Web Portal" as being a proxy, also the bit with "PROXYSERVER" suggested that.
-
What is your setting for
network.automatic-ntlm-auth.*
,network.negotiate-auth.*
preferences? -
Then I will ask for logs:
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_loggingplease add
NTLM:5,negotiateauth:5
to the list of modules. Please also state URLs that manifested the bug, so I can easily find them in the log.In case of privacy concerns, feel free to send them to my bugzilla email directly.
Thanks!
Reporter | ||
Comment 12•6 years ago
|
||
I answered you via email for privacy reasons.
Comment 13•6 years ago
|
||
Honza, please investigate the mail from marco and triage this bug accordingly.
Comment 14•6 years ago
|
||
(In reply to marco.habegger from comment #12)
I answered you via email for privacy reasons.
Answered back, let's see how the next round goes.
Reporter | ||
Comment 15•6 years ago
|
||
Hi
I made the changes you suggested but unfortunately it didn't solve the issue. I replied to you with my latest information.
Reporter | ||
Comment 17•6 years ago
|
||
No, this is not a duplicate of the mentioned bug.
Comment 19•6 years ago
|
||
P5 per Comment 18.
Comment 20•6 years ago
|
||
New logs sent privately by email. This is a very low priority for me, though.
Updated•6 years ago
|
Updated•6 years ago
|
Comment 21•6 years ago
|
||
Found the problem, we may want this fixed for ESR68, hence P1.
We are killing a connection in the middle of ambient authentication negotiation, while it happens to be just in the idle state between two requests; DontReuse is called:
2019-04-24 07:44:36.629000 UTC - [13316:Socket Thread]: V/nsHttp nsHttpConnectionMgr::ClosePersistentConnections [ci=.S.....[tlsflags0x00000000]<redacted>:443]
2019-04-24 07:44:36.629000 UTC - [13316:Socket Thread]: V/nsHttp nsHttpConnection::DontReuse 0000025E19EEF800 spdysession=0000000000000000
We have to have a new flag that will keep the connection in the pool.
This comes from DoShiftReloadConnectionCleanup and according the log this only happens because of Ctrl-F5 was pressed, but I'm not 100% sure because of no time correlation of top level loads and connection killings:
https://searchfox.org/mozilla-esr60/rev/36859affb862d05f6f0c63c758fd901a027b267b/netwerk/protocol/http/nsHttpChannel.cpp#6099.
We are then closing ALL connections:
https://searchfox.org/mozilla-esr60/rev/36859affb862d05f6f0c63c758fd901a027b267b/netwerk/protocol/http/nsHttpConnectionMgr.cpp#2664
Updated•6 years ago
|
Updated•6 years ago
|
Comment 22•6 years ago
|
||
When you say ESR68 do you mean 68.0 or a later 68.x update? For the former we'll soon be running out of time.
Comment 23•6 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #22)
When you say ESR68 do you mean 68.0 or a later 68.x update? For the former we'll soon be running out of time.
I think 68.x update. I won't find time soon to fix this.
Comment 24•6 years ago
|
||
Thanks.
Reporter | ||
Comment 25•6 years ago
|
||
Thank you guys for your work and your replies. Sorry that I didn't answer any sooner.
I informed my boss and the project team responsible for the rollout.
Looking forward to getting an update with a working solution. Good luck :)
Comment 26•6 years ago
|
||
(In reply to marco.habegger from comment #25)
Thank you guys for your work and your replies. Sorry that I didn't answer any sooner.
I informed my boss and the project team responsible for the rollout.Looking forward to getting an update with a working solution. Good luck :)
Thanks, I would be more interested in confirming or disproving that you (or whoever provided the logs) were pressing Ctrl-F5 during the page load. It would help to narrow this further down. Thanks.
Reporter | ||
Comment 27•6 years ago
|
||
Thanks, I would be more interested in confirming or disproving that you (or whoever provided the logs) were pressing Ctrl-F5 during the page load. It would help to narrow this further down. Thanks.
We did never use Ctrl+F5 to reload a page. The error occurs after navigating to the SAP Portal via a link on our intranet. Then, after a browser restart, to popups show up without any navigation, just the start-pages load.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•