Closed
Bug 266485
Opened 20 years ago
Closed 20 years ago
Enable SPNEGO proxy authentication
Categories
(Core :: Networking, enhancement)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla1.8beta1
People
(Reporter: darin.moz, Assigned: darin.moz)
Details
Attachments
(1 file)
7.54 KB,
patch
|
cneberg
:
review+
bryner
:
superreview+
|
Details | Diff | Splinter Review |
Enable SPNEGO proxy authentication. I'm assuming that the SPN for proxy auth is: "HTTP@proxyhost" Patch coming up...
Assignee | ||
Comment 1•20 years ago
|
||
Assignee | ||
Comment 2•20 years ago
|
||
NOTE: I have not confirmed that this patch actually works since I do not have a suitable testcase (yet). If anyone can help test, I'd be most grateful.
Severity: normal → enhancement
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta
Assignee | ||
Updated•20 years ago
|
Attachment #163722 -
Flags: review?(cneberg)
Comment 3•20 years ago
|
||
http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind This, with Samba4 and probably some assistance from me should allow you a testcase.
Assignee | ||
Comment 4•20 years ago
|
||
> http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind
Thanks Andrew, but does mod_ntlm_winbind actually do SPNEGO? The fact that
"ntlm" is in its name makes me suspect! :)
Comment 5•20 years ago
|
||
Yes, mod_ntlm_winbind does do SPNEGO - I could not come up with a better name. It passes the entire request down to Samba's ntlm_auth helper, and that's what does the heavy lifting.
Comment 6•20 years ago
|
||
Comment on attachment 163722 [details] [diff] [review] v1 patch Seems fine. How much extra network traffic is this going to cause if the user is not logged in using his domain creds? Negotiate will try Keberberos or NTLM, then cached NTLM creds if they've tried previously. Do we care about the extra trips, how often will the proxy server re-challenge the browser?
Attachment #163722 -
Flags: review?(cneberg) → review+
Assignee | ||
Comment 7•20 years ago
|
||
> How much extra network traffic is this going to cause if the user > is not logged in using his domain creds? That is a good question. If domain creds are not configured, then the client-side GSSAPI impl will presumably error out quickly. If domain creds are configured, then hopefully it is intended that those be used. Afterall, it is likely that the local IT admins setup both the Krb5 system as well as the proxy server. Moreover, the proxy admin can configure the proxy challenge to not send Negotiate as a challenge if this is a problem. > how often will the proxy server re-challenge the browser? If keep-alive connections are used, then the frequency of challenges is server controlled. The browser continues to use a keep-alive connection until the server closes it. Initially, we open up to 4 keep-alive proxy connections. Also, if this is viewed as problem, then we could use a similar "session-state" trick that we used in nsHttpNTLMAuth.cpp to remember "for this session" that Negotiate auth won't work for a given URL (auth domain) or proxy host.
Assignee | ||
Updated•20 years ago
|
Attachment #163722 -
Flags: superreview?(bryner)
Comment 8•20 years ago
|
||
Darin please look at Bug 267263 which is related and may require changes to this patch.
Updated•20 years ago
|
Attachment #163722 -
Flags: superreview?(bryner) → superreview+
Assignee | ||
Comment 9•20 years ago
|
||
There's a small bug in this patch. The name of the pref in all.js does not match the name of the pref in nsHttpNegotiateAuth.cpp. Otherwise, I am told that this patch works great w/ MS ISA proxy + MS AD using GSSAPI under Linux. I have not had a chance to test w/ Samba, but I suspect it'll just work. I'll commit this patch with the pref tweak once the tree opens for Moz 1.8 alpha6.
Assignee | ||
Comment 10•20 years ago
|
||
fixed-on-trunk final patch uses network.negotiate-auth.allow-proxies as the preference.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•