User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 With every new connection all of the auth types are tried in order if all of the types don't support re-using the cached challenge. They ignore what worked previously. This is why on a Mac users retrieve repeated Kerberos prompts to get credentials. If they click cancel on the prompt they will get another prompt later, when a new connection is made. I can think of two possible solutions. 1. Turn prompting off for Negotiate on Mac OS X. (I have a patch to do this, but it doesn't solve the general problem). But if the problem is server side, it will still re-try and fail with every new connection. 2. Find some way of caching the last successful authentication type for a particular server and try that first. This is already done for authentication types where the challenge can be reused, but not types like NTLM or Negotiate that don't re-use a challenge. Reproducible: Didn't try Steps to Reproduce:
Adding myself to the CC list, and hoping that someone can help review this patch soon. The kerberos prompting occurs repeatedly during an Outlook Web Access session, and can get a little frustrating if one uses Mozilla or Firebird on Mac to read mail.
I agree we should at least start discussing this problem I'm not sure if this is the correct solution though. From your comments in the other bug (Bug 238316), it seems in your situation you don't have kerberos credentials at all. So for the time being you should disable SPNEGO support since it is really of no value to you and at this point is mainly an annoyance. (http://bugzilla.mozilla.org/show_bug.cgi?id=238316#c18) I don't know how common your problem is, most people who have an IIS box which is new enough to support Integrated Windows authentication, are also using Active Directory which supports kerberos.
Thank you, the suggested change to suppress the kerberos authentication worked well in both Moz and Firefox. Both can now log in securely to Exchange 2000 without seeing the extraneous authentication dialog. Not a fix, but a workaround. Thanks.
Comment on attachment 146225 [details] [diff] [review] Mac OS X patch to disable prompting r+sr=darin I'm happy to get this into the tree if it will stave off problems like this. If there is something better that we should be doing instead, we can always back this out and do that instead.
Perhaps we should try to get this in for FFox 1.0 and Moz 1.7.1?
I guess this means that this bug has morphed a bit. It was about fixing the more generic problem. However, I'd rather we open a new bug if there is indeed more work to be done. Since we want to get this patch into 1.7.1 and ffox 1.0, I think it simplifies project management to have separate bugs.
REOPENING this bug. the patch broke the tinderbox OSX builds.
Here's the build error from "Darwin 6.8 monkey": c++ -o nsNegotiateAuthGSSAPI.o -c -DOSTYPE=\"Darwin6.8\" -DOSARCH=\"Darwin\" -DHAVE_DEPENDENT_LIBS -DUSE_GSSAPI -I../../dist/include/xpcom -I../../dist/include/string -I../../dist/include/necko -I../../dist/include/pref -I../../dist/include/negotiateauth -I../../dist/include -I/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/obj/dist/include/nspr -I. -fPIC -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wno-long-long -fpascal-strings -no-cpp-precomp -fno-common -fshort-wchar -I/Developer/Headers/FlatCarbon -pipe -DNDEBUG -DTRIMMED -O -DMOZILLA_CLIENT -include ../../mozilla-config.h -Wp,-MD,.deps/nsNegotiateAuthGSSAPI.pp /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp: In member function `virtual nsresult nsNegotiateAuth::GetNextToken(const void*, unsigned int, void**, PRUint32*)': /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224: ` KLBoolean' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224: (Each undeclared identifier is reported only once for each function it appears in.) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224: parse error before `;' token /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` kerberosVersion_V5' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` found' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` KLCacheHasValidTickets' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` klNoErr' undeclared (first use this function) I guess that we are missing some header file???
Created attachment 151884 [details] [diff] [review] added missing header Patch was just missing a header. Checked in to trunk.
marking FIXED again.
Comment on attachment 151884 [details] [diff] [review] added missing header would be good to get this on the 1.7 branch. only affects Mac OSX users.
Comment on attachment 151884 [details] [diff] [review] added missing header a=mkaply
Darin, can you land this on the aviary branch as well?
fixed-aviary1.0 actually, i ported the entire trunk spnego+ntlm code onto the aviary 1.0 branch, see bug 246861.
er, i meant see bug 237586.