Open Bug 520668 Opened 12 years ago Updated 9 months ago
Configuring Kerberos for Firefox is ugly
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:188.8.131.52) Gecko/20090911 Fedora/3.5.3-1.fc12 Firefox/3.5.3 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:184.108.40.206) Gecko/20090911 Fedora/3.5.3-1.fc12 Firefox/3.5.3 (originally filed as https://bugzilla.redhat.com/show_bug.cgi?id=526824) To be able to use FF with kerberos SSO one has to follow the instructions like this: Firefox can use your Kerberos credentials for authentication, but you need to specify which domains to communicate with, and using which attributes. 1. Open Firefox, and type "about:config" in the Address Bar. 2. In the Search field, type "negotiate". 3. Ensure the following lines reflect your setup. Replace ".example.com" with your own kerberos domain, including the preceding period (.): network.negotiate-auth.trusted-uris .example.com network.negotiate-auth.delegation-uris .example.com network.negotiate-auth.using-native-gsslib true 4. If you are configuring Firefox on Microsoft Windows, make the following changes instead: network.negotiate-auth.trusted-uris .example.com network.auth.use-sspi false network.negotiate-auth.delegation-uris .example.com 5. In Firefox, navigate to the kerberos protected web site and ensure that there are no Kerberos authentication errors, and that you can see and interact with the web site. This bug is a request to provide a much more user friendly way of accomplishing the same goal using some kind of click through interface. It should also be possible to configure it using system management tools and scripts. Version-Release number of selected component (if applicable): Any Reproducible: Always Steps to Reproduce: 1.see above 2. 3. Actual Results: making Firefox to work with Kerberos is awfully complicated Expected Results: Fireofx should support Kerberos (aka SPNEGO) "out of the box".
Kerberos is used in many corporate organizations, whether known or not (eg. as part of AD). If FF can support Kerberos/SPNEGO "out of the box" (or at least without users having to into about:config), it would facilitate the adoption of FF in corporate environments. Most clients using Kerberos will have an /etc/krb5.conf or an active TGT. In theory, the default_realm configuration directive could help populate the relevant configuration sections or be used instead of internal configuration sections. POTENTIAL CASES: 1) User is in a single Kerberos domain * use default_realm stanza in /etc/krb5.conf for configuration * corporate DNS *should* have appropriate SRV records in DNS. 2) User is in more than one Kerberos domain * domain_realm can perhaps be used to delimit * DNS SRV entries for non-primary realms * active TGTs can give 'hints' as to what domains are to be used
You can create a file in a directory like /usr/lib64/firefox/browser/defaults/preferences with the following contents: pref("network.negotiate-auth.trusted-uris", "example.com"); Note that you have to create the appropriate 32-bit or 64-bit one, and that the directory in which it lives has changed recently with an upgrade of firefox. Perhaps realmd should be doing this, when the machine joins a realm? You might want to fix bug 981477 before you inflict firefox+Kerberos on people in an automated fashion though...
Oops, sorry, wrong bugzilla. Make that 'bug 890908' in that case.
Most of this configuration should be able to go away. These days Kerberos has realm autodiscovery and the ability to proxy over HTTP (MS-KKDCP; we are working on autodiscovery for this too). We are actively working on a PAKE pre-authentication method as well, so there is no possible attack on credentials even when giving packets to a rogue server. There are only two possible "leakages": 1. the user principal to any listener 2. the browser history to the KDC In the second case, only server granularity is provided. So this leakage isn't a big deal. It can also be mitigated by asking the user to log in with the existing TGT. It is also mitigated by the fact that such services are largely happening inside a security realm anyway; privacy here is not assumed. In short, if Firefox encounters a Kerberos realm enrolled server, the user should simply be asked for login. Everything else can, and should, happen transparently.
Seriously, not before bug 890908 is fixed. You really don't want to automatically use Kerberos when it can make Firefox go off into the weeds for *minutes* at a time without redrawing itself or responding in any way.
OK, but bug 890908 has been fixed, so what's the status of this now?
Would be good for this to be enabled by default for all site, like IE, Edge, Chrome, etc. And/Or if it could be easily enabled by official Group Policy Object as well.
Component: Security → Networking
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.