Closed Bug 1613078 Opened 5 years ago Closed 5 years ago

Inappropriate authentication order when webserver offers Basic Authentication and Integrated Windows Authentication

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
72 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 650091

People

(Reporter: alexander.veit, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Try to connect to a webserver that offers Basic Authentication and Integrated Windows Authentication.

Actual results:

Fixefox presents the user a login box.

When the user clicks the cancel button to times the login succeeds with Integrated Windows Authentication.

Expected results:

Firefox should not present the user a login box.

Since Firefox is configured for Integrated Windows Authentication (via the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris settings) it is able to successfully authenticate the user without user interaction.

By default it should use the most secure authentication scheme (in this case Integrated Windows Authentication), and only use the less secure method (Basic Authentication) as a fallback.

With Chrome (desktop and mobile) and Internet Explorer authentication works as expected.

The server setup is becoming more common since many mobile browsers that do not support Integrated Windows Authentication require the fallback to Basic Authentication.

Component: Untriaged → Networking
Product: Firefox → Core

Erratum: Intead of "button to times" it should read "button two times".

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.