Open Bug 520668 Opened 15 years ago Updated 2 years ago

Configuring Kerberos for Firefox is ugly


(Core :: Networking, defect, P3)





(Reporter: mcepl, Unassigned)



(Whiteboard: [necko-triaged])

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20090911 Fedora/3.5.3-1.fc12 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/20090911 Fedora/3.5.3-1.fc12 Firefox/3.5.3

(originally filed as
To be able to use FF with kerberos SSO one has to follow the instructions like
Firefox can use your Kerberos credentials for authentication, but you need to
specify which domains to communicate with, and using which attributes.

1. Open Firefox, and type "about:config" in the Address Bar.
2. In the Search field, type "negotiate".
3. Ensure the following lines reflect your setup. Replace "" with
your own kerberos domain, including the preceding period (.):

      network.negotiate-auth.using-native-gsslib true

4. If you are configuring Firefox on Microsoft Windows, make the following
changes instead:

      network.auth.use-sspi false

5. In Firefox, navigate to the kerberos protected web site and ensure that
there are no Kerberos authentication errors, and that you can see and interact
with the web site. 

This bug is a request to provide a much more user friendly way of accomplishing
the same goal using some kind of click through interface. It should also be
possible to configure it using system management tools and scripts. 

Version-Release number of selected component (if applicable):

Reproducible: Always

Steps to Reproduce:
1.see above
Actual Results:  
making Firefox to work with Kerberos is awfully complicated

Expected Results:  
Fireofx should support Kerberos (aka SPNEGO) "out of the box".
Ever confirmed: true
Kerberos is used in many corporate organizations, whether known or not (eg. as part of AD). If FF can support Kerberos/SPNEGO "out of the box" (or at least without users having to into about:config), it would facilitate the adoption of FF in corporate environments.

Most clients using Kerberos will have an /etc/krb5.conf or an active TGT. In theory, the default_realm configuration directive could help populate the relevant configuration sections or be used instead of internal configuration sections.


1) User is in a single Kerberos domain
* use default_realm stanza in /etc/krb5.conf for configuration
* corporate DNS *should* have appropriate SRV records in DNS.

2) User is in more than one Kerberos domain
* domain_realm can perhaps be used to delimit
* DNS SRV entries for non-primary realms
* active TGTs can give 'hints' as to what domains are to be used
Depends on: 652196
You can create a file in a directory like /usr/lib64/firefox/browser/defaults/preferences with the following contents:

pref("network.negotiate-auth.trusted-uris", "");

Note that you have to create the appropriate 32-bit or 64-bit one, and that the directory in which it lives has changed recently with an upgrade of firefox.

Perhaps realmd should be doing this, when the machine joins a realm?

You might want to fix bug 981477 before you inflict firefox+Kerberos on people in an automated fashion though...
Oops, sorry, wrong bugzilla. Make that 'bug 890908' in that case.
Component: General → Security
Most of this configuration should be able to go away. These days Kerberos has realm autodiscovery and the ability to proxy over HTTP (MS-KKDCP; we are working on autodiscovery for this too). We are actively working on a PAKE pre-authentication method as well, so there is no possible attack on credentials even when giving packets to a rogue server.

There are only two possible "leakages":
1. the user principal to any listener
2. the browser history to the KDC

In the second case, only server granularity is provided. So this leakage isn't a big deal. It can also be mitigated by asking the user to log in with the existing TGT. It is also mitigated by the fact that such services are largely happening inside a security realm anyway; privacy here is not assumed.

In short, if Firefox encounters a Kerberos realm enrolled server, the user should simply be asked for login. Everything else can, and should, happen transparently.
Depends on: 890908
Seriously, not before bug 890908 is fixed. You really don't want to automatically use Kerberos when it can make Firefox go off into the weeds for *minutes* at a time without redrawing itself or responding in any way.
OK, but bug 890908 has been fixed, so what's the status of this now?
Would be good for this to be enabled by default for all site, like IE, Edge, Chrome, etc. And/Or if it could be easily enabled by official Group Policy Object as well.
Component: Security → Networking
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [necko-triaged]

It would be nice if Kerberos auth could work automatically like in IE and Chrome.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.