1534190 - Authentication required popup because of connection closing in the middle of NTLM/Negotiate negotiation

Status: NEW

(Core :: Networking: HTTP, defect, P2)

Description

[marco.habegger]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763

Steps to reproduce:

• Firefox ESR 60.5.2
• Configure NTLM for on-prem SharePoint (2013) sites
• Configure SPNEGO for on-prem SAP Web Portal (Fiori)
• Open SAP Web Portal and an app or two (doesn't matter)

Actual results:

After a while or a Firefox Restart, on every site I visit, Firefox prompts me for authentication (multiple times). On internal sites (which should be automatically authenticated over NTML (which worked fine before accessing SAP)) it says "Authentication required for app.domain.local" and for external sites (Google.com or Mozilla.org) "Authentication required for PROXYSERVER". Cancleing results in the sites not working.

Expected results:

SSO should still be used for every site like it did before accessing SAP Web Portal

Comment 1

[Liviu Seplecan]

Hi @marco.habegger, for this issue I will set a component; is over my hand to handle it. So I guess someone from dev's team could give us a hand to verify the described scenario.
Thanks

Comment 2

[Dragana Damjanovic [:dragana]]

junior, can you take a look?

Comment 3

[Junior [inactive]]

I'd like to get more information.
Does it happen in recently ESR update?
Is it possible to try if nightly works or not?

Comment 4

[marco.habegger]

Thanks for your replies.

I recently updated to 60.6.0esr (64-Bit) and so far haven't had any issues. I asked my colleagues to update aswell: One of them still received the popups but if the solution is to delete the "places.sqlite" once after the update, that's fine for me. I will keep an eye on the others' browsers and reply again once I can give a concrete answer.

I also installed the latest version of Nightly I could find (the web installer doesn't work in my corporate network) and was able to reproduce the error. I hope later updates for ESR won't unfix this issue.

Comment 5

[Liviu Seplecan]

Hi @Junior, based on the comment 4 should we modify the status of this issue or there are more info's or cases to investigate?

Comment 6

[Junior [inactive]]

Please reopen if more help is needed

Comment 7

[marco.habegger]

It seems to have been fixed, but multiple users including myself are still getting these promts in the latest 60.6.1esr (64-Bit) release. I think it happened to me again after updating from 60.6.0 to 60.6.1. Maybe this helps.
Let me know if you need further Information.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:mayhemer, could you have a look please?

Comment 9

[Honza Bambas (:mayhemer)]

This could be a duplicate of (already fixed) bug 1520125 and a followup to it, bug 1538737. I intend to work on the second one soon. I'll provide test builds when available.

Comment 10

[marco.habegger]

As far as I've understood those two bug reports, they are not about the same problem. We encounter this behaviour only after any SAP web portal page was opened not every single time. Our proxy settings work just fine.

Comment 11

[Honza Bambas (:mayhemer)]

(In reply to marco.habegger from comment #10)

As far as I've understood those two bug reports, they are not about the same problem. We encounter this behaviour only after any SAP web portal page was opened not every single time. Our proxy settings work just fine.

I somehow translated "SAP Web Portal" as being a proxy, also the bit with "PROXYSERVER" suggested that.

• What is your setting for network.automatic-ntlm-auth.*, network.negotiate-auth.* preferences?

• Then I will ask for logs:
  https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging

  please add NTLM:5,negotiateauth:5 to the list of modules. Please also state URLs that manifested the bug, so I can easily find them in the log.

  In case of privacy concerns, feel free to send them to my bugzilla email directly.

Thanks!

Comment 12

[marco.habegger]

I answered you via email for privacy reasons.

Comment 13

[Michal Novotny [:michal]]

Honza, please investigate the mail from marco and triage this bug accordingly.

Comment 14

[Honza Bambas (:mayhemer)]

(In reply to marco.habegger from comment #12)

I answered you via email for privacy reasons.

Answered back, let's see how the next round goes.

Comment 15

[marco.habegger]

Hi

I made the changes you suggested but unfortunately it didn't solve the issue. I replied to you with my latest information.

Comment 17

[marco.habegger]

No, this is not a duplicate of the mentioned bug.

Comment 18

[Honza Bambas (:mayhemer)]

Answered, candidate for INVALID.

Comment 19

[Junior [inactive]]

P5 per Comment 18.

Comment 20

[Honza Bambas (:mayhemer)]

New logs sent privately by email. This is a very low priority for me, though.

Comment 21

[Honza Bambas (:mayhemer)]

Found the problem, we may want this fixed for ESR68, hence P1.

We are killing a connection in the middle of ambient authentication negotiation, while it happens to be just in the idle state between two requests; DontReuse is called:

2019-04-24 07:44:36.629000 UTC - [13316:Socket Thread]: V/nsHttp nsHttpConnectionMgr::ClosePersistentConnections [ci=.S.....[tlsflags0x00000000]<redacted>:443]
2019-04-24 07:44:36.629000 UTC - [13316:Socket Thread]: V/nsHttp nsHttpConnection::DontReuse 0000025E19EEF800 spdysession=0000000000000000

We have to have a new flag that will keep the connection in the pool.

This comes from DoShiftReloadConnectionCleanup and according the log this only happens because of Ctrl-F5 was pressed, but I'm not 100% sure because of no time correlation of top level loads and connection killings:
https://searchfox.org/mozilla-esr60/rev/36859affb862d05f6f0c63c758fd901a027b267b/netwerk/protocol/http/nsHttpChannel.cpp#6099.

We are then closing ALL connections:
https://searchfox.org/mozilla-esr60/rev/36859affb862d05f6f0c63c758fd901a027b267b/netwerk/protocol/http/nsHttpConnectionMgr.cpp#2664

Comment 22

[Julien Cristau [:jcristau]]

When you say ESR68 do you mean 68.0 or a later 68.x update? For the former we'll soon be running out of time.

Comment 23

[Honza Bambas (:mayhemer)]

(In reply to Julien Cristau [:jcristau] from comment #22)

When you say ESR68 do you mean 68.0 or a later 68.x update? For the former we'll soon be running out of time.

I think 68.x update. I won't find time soon to fix this.

Comment 24

[Julien Cristau [:jcristau]]

Thanks.

Comment 25

[marco.habegger]

Thank you guys for your work and your replies. Sorry that I didn't answer any sooner.
I informed my boss and the project team responsible for the rollout.

Looking forward to getting an update with a working solution. Good luck :)

Comment 26

[Honza Bambas (:mayhemer)]

(In reply to marco.habegger from comment #25)

Thank you guys for your work and your replies. Sorry that I didn't answer any sooner.
I informed my boss and the project team responsible for the rollout.

Looking forward to getting an update with a working solution. Good luck :)

Thanks, I would be more interested in confirming or disproving that you (or whoever provided the logs) were pressing Ctrl-F5 during the page load. It would help to narrow this further down. Thanks.

Comment 27

[marco.habegger]

Thanks, I would be more interested in confirming or disproving that you (or whoever provided the logs) were pressing Ctrl-F5 during the page load. It would help to narrow this further down. Thanks.

We did never use Ctrl+F5 to reload a page. The error occurs after navigating to the SAP Portal via a link on our intranet. Then, after a browser restart, to popups show up without any navigation, just the start-pages load.