Closed Bug 266485 Opened 20 years ago Closed 20 years ago

Enable SPNEGO proxy authentication

Categories

(Core :: Networking, enhancement)

Product:
Core
Component:
Networking
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: darin.moz, Assigned: darin.moz)

Details

Attachments

(1 file)

v1 patch
7.54 KB, patch
cneberg
: review+
bryner
: superreview+
Details | Diff | Splinter Review 
Enable SPNEGO proxy authentication.

I'm assuming that the SPN for proxy auth is: "HTTP@proxyhost"

Patch coming up...
Attached patch v1 patchSplinter Review 

    
    

    
  
NOTE: I have not confirmed that this patch actually works since I do not have a
suitable testcase (yet).  If anyone can help test, I'd be most grateful.
Severity: normal → enhancement
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta

    
  

        Attachment #163722 -
        Flags: review?(cneberg)

    
    

    
  
http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind

This, with Samba4 and probably some assistance from me should allow you a testcase.

    
    

    
  
> http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind

Thanks Andrew, but does mod_ntlm_winbind actually do SPNEGO?  The fact that
"ntlm" is in its name makes me suspect! :)

    
    

    
  
Yes, mod_ntlm_winbind does do SPNEGO - I could not come up with a better name. 
It passes the entire request down to Samba's ntlm_auth helper, and that's what
does the heavy lifting. 



    
    

    
  
Comment on attachment 163722 [details] [diff] [review]
v1 patch

Seems fine.  How much extra network traffic is this going to cause if the user
is not logged in using his domain creds?  Negotiate will try Keberberos or
NTLM, then cached NTLM creds if they've tried previously.  Do we care about the
extra trips, how often will the proxy server re-challenge the browser?

        Attachment #163722 -
        Flags: review?(cneberg) → review+

    
    

    
  
> How much extra network traffic is this going to cause if the user
> is not logged in using his domain creds?

That is a good question.  If domain creds are not configured, then the
client-side GSSAPI impl will presumably error out quickly.  If domain creds are
configured, then hopefully it is intended that those be used.  Afterall, it is
likely that the local IT admins setup both the Krb5 system as well as the proxy
server.  Moreover, the proxy admin can configure the proxy challenge to not send
Negotiate as a challenge if this is a problem.


> how often will the proxy server re-challenge the browser?

If keep-alive connections are used, then the frequency of challenges is server
controlled.  The browser continues to use a keep-alive connection until the
server closes it.  Initially, we open up to 4 keep-alive proxy connections.


Also, if this is viewed as problem, then we could use a similar "session-state"
trick that we used in nsHttpNTLMAuth.cpp to remember "for this session" that
Negotiate auth won't work for a given URL (auth domain) or proxy host.

    
  

        Attachment #163722 -
        Flags: superreview?(bryner)

    
    

    
  
Darin please look at Bug 267263 which is related and may require changes to this
patch.

        Attachment #163722 -
        Flags: superreview?(bryner) → superreview+

    
    

    
  
There's a small bug in this patch.  The name of the pref in all.js does not
match the name of the pref in nsHttpNegotiateAuth.cpp.

Otherwise, I am told that this patch works great w/ MS ISA proxy + MS AD using
GSSAPI under Linux.  I have not had a chance to test w/ Samba, but I suspect
it'll just work.

I'll commit this patch with the pref tweak once the tree opens for Moz 1.8 alpha6.

    
    

    
  
fixed-on-trunk

final patch uses network.negotiate-auth.allow-proxies as the preference.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: