SSPI authentication broken




13 years ago
13 years ago


(Reporter: Wim Borghs, Assigned: Darin Fisher)


Windows XP

Firefox Tracking Flags

(Not tracked)



(3 attachments, 1 obsolete attachment)



13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050222 Firefox/1.0.1
Build Identifier:

Firefox doesn't auto-authenticate to the proxy anymore, the user has to give his
username and password.

Reproducible: Always

Steps to Reproduce:
1. I start Firefox

Actual Results:  
I get a dialog-prompt 'Enter username and password for proxy "" at proxy:8080'

Expected Results:  
I should not get an authentication-prompt because Firefox uses SSPI authentication.

This problem does not occur with Firefox-builds from the 1.0 or 1.0.1 branches.
It does occur with the trunk-builds.

Comment 1

13 years ago
Wim: can you provide me with a mozilla HTTP log generated using the trunk build
and firefox 1.0?  instructions for generating the HTTP log can be found here:

Please upload the log files to this bug report using the "Create a New
Attachment" link.  Thanks!

Comment 2

13 years ago
Created attachment 175401 [details]
http-log using 20050222 trunk-build


13 years ago
Attachment #175401 - Attachment description: log using 20050222 trunk-build → http-log using 20050222 trunk-build

Comment 3

13 years ago
Created attachment 175402 [details]
http-log using 20050222 1.0.1-build

had to zip it because the log is bigger than 300 KB

Comment 4

13 years ago
When I cancel all the authentication-prompts, the webpages do load. So it seems
that firefox does do sspi-authentication and unnecessarily keeps asking for

Comment 5

13 years ago
This problem still occurs with trunk-build Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.8b2) Gecko/20050324 Firefox/1.0+


13 years ago
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta2

Comment 6

13 years ago

the log files only reveal that automatic NTLM was not used in the trunk build,
but it doesn't show why it wasn't used :-(  very little of this code has changed
between firefox 1.0 and the current trunk, so this bug is very surprising to me.

can you do me a huge favor and try to download older nightly builds to try to
figure when this problem started occuring?  try going back as far as november of
last year to see if that helps.

also can you verify that the "network.automatic-ntlm-auth.allow-proxies"
preference is set to true (using about:config) just to be sure.


Comment 7

13 years ago
network.automatic-ntlm-auth.allow-proxies is true.

build "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8a6) Gecko/20050112
Firefox/1.0+" works fine.
build "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b) Gecko/20050113
Firefox/1.0+" has the issue.

Comment 8

13 years ago
Nothing looks suspicious in the CVS checkin logs between those dates :-(

Comment 9

13 years ago
I checked in code to increase the amount of HTTP logging in nsHttpNTLMAuth.cpp
around the problem area.  I hope that this will help me track down the issue. 
Can you please download a new build tomorrow and generate a fresh HTTP log
demonstrating the problem?  Thanks!

Comment 10

13 years ago
also, when you generate the new log file, could you please include
"negotiateauth:5" in the set of logged modules.  thanks!

Comment 11

13 years ago
Created attachment 178654 [details]
http-log using 2005-03-25-08-trunk build

http-log generated with "set

and build "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b2)
Gecko/20050325 Firefox/1.0+" from "2005-03-25-08-trunk" directory

Comment 12

13 years ago
Wim, thanks but unfortunately the "2005-03-25-08-trunk" build is too old, and it
doesn't include my changes.  I made changes around 2:30 pm PST, and that build
was generated in the morning at 8 am PST.  If you could grab a trunk build from
today (3/26) or later and repeat the logging that'd be great.

Comment 13

13 years ago
Created attachment 178700 [details]
http-log using 2005-03-26-07-trunk build

http-log generated with "set

and build "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8b2)
Gecko/20050326 Firefox/1.0+" from "2005-03-26-07-trunk" directory
Attachment #178654 - Attachment is obsolete: true

Comment 14

13 years ago
wow, so this little snipet reveals what's going on:

0[2746d0]: nsHttpChannel::GetCredentialsForChallenge [this=20ebc78 proxyAuth=1
0[2746d0]: nsHttpAuthCache::GetAuthEntryForDomain [key=http://proxy:8080 realm=]
0[2746d0]: nsHttpNTLMAuth::ChallengeReceived [ss=0 cs=0]
0[2746d0]: sys-ntlm allowed for proxy: 0
0[2746d0]:   identity invalid = 1
0[2746d0]: nsHttpChannel::PromptForIdentity [this=20ebc78]

It seems that the pref is not set correctly somehow.  I'm not sure how to
explain this since you said that the pref is set.

Can you try using a fresh Firefox profile?

A quick way to do this is to do the following:

c:\Program Files\Mozilla Firefox\> mkdir test
c:\Program Files\Mozilla Firefox\> firefox -profile test

Then firefox will use "test" to store all of its profile data.

Comment 15

13 years ago
aha, the network.automatic-ntlm-auth.allow-proxies is true for builds without
the problem and false for those with the problem.

sorry, I must have had a firefox without the issue open when i checked the
"network.automatic-ntlm-auth.allow-proxies"-value by mistake.

I see that the file greprefs/all.js has these lines:
// The following prefs are used to enable automatic use of the operating
// system's NTLM implementation to silently authenticate the user with their
// Window's domain logon.  By default, this is disabled for proxy servers due
// to bug 256949.  The trusted-uris pref follows the format of the trusted-uris
// pref for negotiate authentication.
pref("network.automatic-ntlm-auth.allow-proxies", false);
pref("network.automatic-ntlm-auth.trusted-uris", "");

So that's what changed then.

I guess I'l have to read about bug 256949 now...

Comment 16

13 years ago
so, working as expected.  marking INVALID.
Last Resolved: 13 years ago
Resolution: --- → INVALID

Comment 17

13 years ago
see bug 288053 for re-enabling automatic-ntlm for proxies by default.
You need to log in before you can comment on or make changes to this bug.