Suppress bogus Kerberos prompt on Mac OSX [was: Autthentication Failover not fully supported between connection based Authentication Types]

RESOLVED FIXED in mozilla1.8alpha2

Status

()

Core
Networking: HTTP
RESOLVED FIXED
14 years ago
13 years ago

People

(Reporter: Christopher Nebergall, Assigned: Darin Fisher)

Tracking

({fixed-aviary1.0, fixed1.7.5})

Trunk
mozilla1.8alpha2
fixed-aviary1.0, fixed1.7.5
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8

With every new connection all of the auth types are tried in order if all of the
types don't support re-using the cached challenge. They ignore what worked
previously.  This is why on a Mac users retrieve repeated Kerberos prompts to
get credentials.  If they click cancel on the prompt they will get another
prompt later, when a new connection is made. 

I can think of two possible solutions.

1.  Turn prompting off for Negotiate on Mac OS X.  (I have a patch to do this,
but it doesn't solve the general problem). But if the problem is server side, it
will still re-try and fail with every new connection.

2.  Find some way of caching the last successful authentication type for a
particular server and try that first.   This is already done for authentication
types where the challenge can be reused, but not types like NTLM or Negotiate
that don't re-use a challenge.

Reproducible: Didn't try
Steps to Reproduce:
(Reporter)

Comment 1

14 years ago
Created attachment 146225 [details] [diff] [review]
Mac OS X patch to disable prompting

Comment 2

14 years ago
Adding myself to the CC list, and hoping that someone can help review this patch
soon. The kerberos prompting occurs repeatedly during an Outlook Web Access
session, and can get a little frustrating if one uses Mozilla or Firebird on Mac
to read mail.
(Reporter)

Comment 3

14 years ago
I agree we should at least start discussing this problem I'm not sure if this is
the correct solution though. 

From your comments in the other bug (Bug 238316), it seems in your situation you
don't have kerberos credentials at all. So for the time being you should disable
SPNEGO support since it is really of no value to you and at this point is mainly
an annoyance. (http://bugzilla.mozilla.org/show_bug.cgi?id=238316#c18)

I don't know how common your problem is, most people who have an IIS box which
is new enough to support Integrated Windows authentication, are also using
Active Directory which supports kerberos.

Comment 4

14 years ago
Thank you, the suggested change to suppress the kerberos authentication worked
well in both Moz and Firefox. Both can now log in securely to Exchange 2000
without seeing the extraneous authentication dialog. Not a fix, but a workaround. 
Thanks.
(Assignee)

Comment 5

14 years ago
Comment on attachment 146225 [details] [diff] [review]
Mac OS X patch to disable prompting

r+sr=darin

I'm happy to get this into the tree if it will stave off problems like this. 
If there is something better that we should be doing instead, we can always
back this out and do that instead.
Attachment #146225 - Flags: superreview+
Attachment #146225 - Flags: review+
(Assignee)

Comment 6

14 years ago
Perhaps we should try to get this in for FFox 1.0 and Moz 1.7.1?
Flags: blocking1.7.1?
Flags: blocking-aviary1.0?
Target Milestone: --- → mozilla1.8alpha2
(Assignee)

Comment 7

14 years ago
Created attachment 151876 [details] [diff] [review]
version of patch checked in on the trunk
(Assignee)

Updated

14 years ago
Attachment #146225 - Flags: approval1.7.1?
(Assignee)

Comment 8

14 years ago
fixed-on-trunk
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

14 years ago
I guess this means that this bug has morphed a bit.  It was about fixing the
more generic problem.  However, I'd rather we open a new bug if there is indeed
more work to be done.  Since we want to get this patch into 1.7.1 and ffox 1.0,
I think it simplifies project management to have separate bugs.
Summary: Autthentication Failover not fully supported between connection based Authentication Types → Suppress bogus Kerberos prompt on Mac OSX [was: Autthentication Failover not fully supported between connection based Authentication Types]
(Assignee)

Comment 10

14 years ago
REOPENING this bug.  the patch broke the tinderbox OSX builds.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Updated

14 years ago
Attachment #146225 - Flags: approval1.7.1?
(Assignee)

Comment 11

14 years ago
Here's the build error from "Darwin 6.8 monkey":

c++ -o nsNegotiateAuthGSSAPI.o -c -DOSTYPE=\"Darwin6.8\" -DOSARCH=\"Darwin\"
-DHAVE_DEPENDENT_LIBS -DUSE_GSSAPI  -I../../dist/include/xpcom
-I../../dist/include/string -I../../dist/include/necko -I../../dist/include/pref
-I../../dist/include/negotiateauth -I../../dist/include
-I/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/obj/dist/include/nspr  
  -I.    -fPIC   -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith
-Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy
-Wno-non-virtual-dtor -Wno-long-long -fpascal-strings -no-cpp-precomp
-fno-common -fshort-wchar -I/Developer/Headers/FlatCarbon -pipe  -DNDEBUG
-DTRIMMED -O   -DMOZILLA_CLIENT -include ../../mozilla-config.h
-Wp,-MD,.deps/nsNegotiateAuthGSSAPI.pp
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:
In
   member function `virtual nsresult nsNegotiateAuth::GetNextToken(const void*, 
   unsigned int, void**, PRUint32*)':
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224:
`
   KLBoolean' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224:
(Each
   undeclared identifier is reported only once for each function it appears 
   in.)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224:
parse
   error before `;' token
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
   kerberosVersion_V5' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
   found' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
   KLCacheHasValidTickets' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
   klNoErr' undeclared (first use this function)

I guess that we are missing some header file???
Created attachment 151884 [details] [diff] [review]
added missing header

Patch was just missing a header.  Checked in to trunk.
Attachment #146225 - Attachment is obsolete: true
Attachment #151876 - Attachment is obsolete: true
(Assignee)

Comment 13

14 years ago
Thanks Javier!!
(Assignee)

Comment 14

14 years ago
marking FIXED again.
Status: REOPENED → RESOLVED
Last Resolved: 14 years ago14 years ago
Resolution: --- → FIXED
(Assignee)

Comment 15

14 years ago
Comment on attachment 151884 [details] [diff] [review]
added missing header

would be good to get this on the 1.7 branch.  only affects Mac OSX users.
Attachment #151884 - Flags: approval1.7.1?

Comment 16

14 years ago
Comment on attachment 151884 [details] [diff] [review]
added missing header

a=mkaply
Attachment #151884 - Flags: approval1.7.1? → approval1.7.1+
(Assignee)

Comment 17

14 years ago
fixed1.7.1
Flags: blocking1.7.1?
Keywords: fixed1.7.1
(Assignee)

Updated

14 years ago
Whiteboard: needed-aviary1.0?
Darin, can you land this on the aviary branch as well?
Whiteboard: needed-aviary1.0? → needed-aviary1.0
(Assignee)

Comment 19

14 years ago
fixed-aviary1.0

actually, i ported the entire trunk spnego+ntlm code onto the aviary 1.0 branch,
see bug 246861.
Whiteboard: needed-aviary1.0 → fixed-aviary1.0
(Assignee)

Comment 20

14 years ago
er, i meant see bug 237586.

Updated

13 years ago
Flags: blocking-aviary1.0?
Keywords: fixed-aviary1.0
Whiteboard: fixed-aviary1.0
You need to log in before you can comment on or make changes to this bug.