Closed
Bug 267080
Opened 20 years ago
Closed 3 years ago
NTLM authentication should be attempted for sites without FQDN and/or option to use/remember credentials should be presented when prompted for password
Categories
(Core :: Networking, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: adam, Unassigned)
References
Details
(Keywords: helpwanted, Whiteboard: [ntlm][necko-would-take])
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1 Abstract: While the addition of transparent NTLM authentication is a huge plus, the actual execution is so kludgy, it's nearly as bad as nothing at all. Like it or not, many enterprises use NTLM auth on their intranets, and it's unrealistic to expect users to keep a running list in their preferences as to what sites Firefox should treat as intranet sites. Possible solutions: Option #1: While Firefox has no concept of an intranet, perhaps it should assume some things. No FQDN should be assumed to be an intranet site (obviously not enabled by default, perhaps as an advanced preference), so if an authentication challenge is recieved at http://payroll, it will attempt to use my NTLM credentials to log into it. If this fails, then it pops up with a password dialog. I doubt that IE has any magic that makes it assume it's hitting an intranet site, and if it does, it's likely exposed through a documented API (but I'm not sure what it is). Option #2: Another option would be if presented with an authentication challenge, the credentials popup window could have a button giving the user the option to attempt to use their cached credentials to connect to the site with a success adding the site permanently to the corresponding preference for this. Reproducible: Always Steps to Reproduce: 1. Go to an intranet site requiring NTLM authentication 2. Get prompted for password. Curse. Add site into network.automatic-ntlm-auth.trusted-uris 3. Site works. Actual Results: It works, but it's awfully kludgy. Expected Results: See summary for proposed solutions.
|
||
Updated•20 years ago
|
Assignee: bugs → darin
Component: OS Integration → Networking
Product: Firefox → Browser
QA Contact: firefox.os-integration → benc
Version: unspecified → Trunk
|
||
Comment 1•20 years ago
|
||
confirming. yeah, we could definitely do better. the whitelist pref is a hack stopgap measure. it's better than nothing, but we definitely need a better system to manage this sort of thing. note: you can also whitelist domains. of course, that doesn't help if you aren't loading links with FQDNs.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•20 years ago
|
Keywords: helpwanted
Target Milestone: --- → Future
I would add a setting for "all intranet sites" so that firefox can be used effectively for corporate businesses - which I guess is the same as non FQDN or if you guys have spare time a regex would be nice =)
|
|
||
Comment 3•20 years ago
|
||
By the way, we can only really do true automatic NTLM on windows (leveraging SSPI). On other platforms, the best we can do is prompt once and then automatically re-use the entered credentials in future sessions. On windows you can enable a preference that enables automatic NTLM for various domains, etc. See: http://www.koldark.net/archives/2004/08/26/ntlm_in_firefoxmozilla.php
|
||
Comment 4•20 years ago
|
||
*** Bug 269966 has been marked as a duplicate of this bug. ***
The workaround above does not work for internal sites that are resolved through WINS and not through a FQDN - so it is only applicable for part of the problem. (it should work for http://intranet.corp.net but not http://intranet) and unfortunately, my company uses the latter - although the intranet machine is a part of the network and domain, it does not have a FQDN that matches the domain.
Before adopting this, we should stop to consider if people would still send out their NTLM auth attempts to systems they do not intend to. IE uses the local zone, which has some LAN based definitions. I do not think that hostname references are as strict, because people with multiple search domain entries would have similar looking URLs, but much looser security constrains. For example, people with search domains like: "pacbell.net" or "earthlink.com" could be pointing to a lot of systems that they know nothing about.
|
|
||
Updated•18 years ago
|
Assignee: darin → nobody
QA Contact: benc → networking
Target Milestone: Future → ---
I thought that setting "network.automatic-ntlm-auth.allow-non-fqdn" to true does exactly what the ask is. Allows NTLM auth for non FQDN sites.
|
||
Updated•9 years ago
|
Whiteboard: [ntlm][necko-would-take]
|
||
Comment 8•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
|
||
Comment 9•3 years ago
|
||
Marking this as Resolved > Incomplete since the last activity on this issue was 8 years ago and it might not be relevant anymore.
Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•