Enable SPNEGO proxy authentication

RESOLVED FIXED in mozilla1.8beta1



15 years ago
15 years ago


(Reporter: darin.moz, Assigned: darin.moz)



Firefox Tracking Flags

(Not tracked)



(1 attachment)



15 years ago
Enable SPNEGO proxy authentication.

I'm assuming that the SPN for proxy auth is: "HTTP@proxyhost"

Patch coming up...

Comment 1

15 years ago
Posted patch v1 patchSplinter Review

Comment 2

15 years ago
NOTE: I have not confirmed that this patch actually works since I do not have a
suitable testcase (yet).  If anyone can help test, I'd be most grateful.
Severity: normal → enhancement
Target Milestone: --- → mozilla1.8beta


15 years ago
Attachment #163722 - Flags: review?(cneberg)

Comment 3

15 years ago

This, with Samba4 and probably some assistance from me should allow you a testcase.

Comment 4

15 years ago
> http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind

Thanks Andrew, but does mod_ntlm_winbind actually do SPNEGO?  The fact that
"ntlm" is in its name makes me suspect! :)

Comment 5

15 years ago
Yes, mod_ntlm_winbind does do SPNEGO - I could not come up with a better name. 
It passes the entire request down to Samba's ntlm_auth helper, and that's what
does the heavy lifting. 

Comment on attachment 163722 [details] [diff] [review]
v1 patch

Seems fine.  How much extra network traffic is this going to cause if the user
is not logged in using his domain creds?  Negotiate will try Keberberos or
NTLM, then cached NTLM creds if they've tried previously.  Do we care about the
extra trips, how often will the proxy server re-challenge the browser?
Attachment #163722 - Flags: review?(cneberg) → review+

Comment 7

15 years ago
> How much extra network traffic is this going to cause if the user
> is not logged in using his domain creds?

That is a good question.  If domain creds are not configured, then the
client-side GSSAPI impl will presumably error out quickly.  If domain creds are
configured, then hopefully it is intended that those be used.  Afterall, it is
likely that the local IT admins setup both the Krb5 system as well as the proxy
server.  Moreover, the proxy admin can configure the proxy challenge to not send
Negotiate as a challenge if this is a problem.

> how often will the proxy server re-challenge the browser?

If keep-alive connections are used, then the frequency of challenges is server
controlled.  The browser continues to use a keep-alive connection until the
server closes it.  Initially, we open up to 4 keep-alive proxy connections.

Also, if this is viewed as problem, then we could use a similar "session-state"
trick that we used in nsHttpNTLMAuth.cpp to remember "for this session" that
Negotiate auth won't work for a given URL (auth domain) or proxy host.


15 years ago
Attachment #163722 - Flags: superreview?(bryner)
Darin please look at Bug 267263 which is related and may require changes to this
Attachment #163722 - Flags: superreview?(bryner) → superreview+

Comment 9

15 years ago
There's a small bug in this patch.  The name of the pref in all.js does not
match the name of the pref in nsHttpNegotiateAuth.cpp.

Otherwise, I am told that this patch works great w/ MS ISA proxy + MS AD using
GSSAPI under Linux.  I have not had a chance to test w/ Samba, but I suspect
it'll just work.

I'll commit this patch with the pref tweak once the tree opens for Moz 1.8 alpha6.

Comment 10

15 years ago

final patch uses network.negotiate-auth.allow-proxies as the preference.
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.