Enable SPNEGO proxy authentication. I'm assuming that the SPN for proxy auth is: "HTTP@proxyhost" Patch coming up...
NOTE: I have not confirmed that this patch actually works since I do not have a suitable testcase (yet). If anyone can help test, I'd be most grateful.
Severity: normal → enhancement
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta
http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind This, with Samba4 and probably some assistance from me should allow you a testcase.
> http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind Thanks Andrew, but does mod_ntlm_winbind actually do SPNEGO? The fact that "ntlm" is in its name makes me suspect! :)
Yes, mod_ntlm_winbind does do SPNEGO - I could not come up with a better name. It passes the entire request down to Samba's ntlm_auth helper, and that's what does the heavy lifting.
Comment on attachment 163722 [details] [diff] [review] v1 patch Seems fine. How much extra network traffic is this going to cause if the user is not logged in using his domain creds? Negotiate will try Keberberos or NTLM, then cached NTLM creds if they've tried previously. Do we care about the extra trips, how often will the proxy server re-challenge the browser?
Attachment #163722 - Flags: review?(cneberg) → review+
> How much extra network traffic is this going to cause if the user > is not logged in using his domain creds? That is a good question. If domain creds are not configured, then the client-side GSSAPI impl will presumably error out quickly. If domain creds are configured, then hopefully it is intended that those be used. Afterall, it is likely that the local IT admins setup both the Krb5 system as well as the proxy server. Moreover, the proxy admin can configure the proxy challenge to not send Negotiate as a challenge if this is a problem. > how often will the proxy server re-challenge the browser? If keep-alive connections are used, then the frequency of challenges is server controlled. The browser continues to use a keep-alive connection until the server closes it. Initially, we open up to 4 keep-alive proxy connections. Also, if this is viewed as problem, then we could use a similar "session-state" trick that we used in nsHttpNTLMAuth.cpp to remember "for this session" that Negotiate auth won't work for a given URL (auth domain) or proxy host.
Darin please look at Bug 267263 which is related and may require changes to this patch.
Attachment #163722 - Flags: superreview?(bryner) → superreview+
There's a small bug in this patch. The name of the pref in all.js does not match the name of the pref in nsHttpNegotiateAuth.cpp. Otherwise, I am told that this patch works great w/ MS ISA proxy + MS AD using GSSAPI under Linux. I have not had a chance to test w/ Samba, but I suspect it'll just work. I'll commit this patch with the pref tweak once the tree opens for Moz 1.8 alpha6.
fixed-on-trunk final patch uses network.negotiate-auth.allow-proxies as the preference.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.