Aladdin eToken users are allways prompted for a password even when token supports SSO

NEW
Unassigned

Status

()

Firefox
Security
8 years ago
3 years ago

People

(Reporter: Frank Breedijk, Unassigned)

Tracking

4.0 Branch
x86
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

In the Aladdin eToken driver there is an option to enable SSO. This means that when a correct pin is used to log into the token, the token can then be used without a password. However, Firefox does not seem to obey this. User is allway prompted for the "Master password" of the token wheneve the token is accessed.

I have talked to eSafe support and they indicate that: "
November 25, 2009	    2:33:13 PM	    from eToken Tech Support to All Participants:	It seems the following:

November 25, 2009	    2:33:34 PM	    from eToken Tech Support to All Participants:	We have a function in our Cryptography world which is called "C_Login"

November 25, 2009	    2:33:41 PM	    from eToken Tech Support to All Participants:	This is how you login to the token

November 25, 2009	    2:33:59 PM	    from eToken Tech Support to All Participants:	Now - most products uses "C_Login Null"

November 25, 2009	    2:34:29 PM	    from eToken Tech Support to All Participants:	Which means that they're trying to authenticate with no password - if they get rejected, we pop-up for a PIN dialog

November 25, 2009	    2:35:07 PM	    from eToken Tech Support to All Participants:	Now, Firefox, unlike most other applications, uses PKCS#11 and actually forcing "C_Login" without Null

November 25, 2009	    2:35:22 PM	    from eToken Tech Support to All Participants:	Which means that each time they're doing a login operation, a login is required.

November 25, 2009	    2:36:12 PM	    from eToken Tech Support to All Participants:	Once the Firefox Logs in once to the token - it'll always try to re-login to it upon launch of the Firefox session.

November 25, 2009	    2:37:09 PM	    from eToken Tech Support to All Participants:	Firefox is not checking if they can get the certificate which is stored on the token without a PIN - they're trying to do a login directly with a PIN.

"

Reproducible: Always

Steps to Reproduce:
1.Make sure PKI Client has SSO enabled
2.Insert token en log into the token
3.Start firefox
4. Visit an HTTPS page
5. Password dialog
Actual Results:  
I was prompted for the token password

Expected Results:  
Token would be used without password dialog as SSO is on
(Reporter)

Comment 1

8 years ago
Created attachment 414841 [details]
Chat log of support session with Aladdin
Reporter, are you still seeing this issue with Firefox 3.6.13 or later in safe mode? If not, please close. These links can help you in your testing.
http://support.mozilla.com/kb/Safe+Mode
http://support.mozilla.com/kb/Managing+profiles

You can also try to reproduce in Firefox 4 Beta 8 or later, there are many improvements in the new version, http://www.mozilla.com/en-US/firefox/all-beta.html
Whiteboard: [CLOSEME 2011-1-30]
(Reporter)

Comment 3

7 years ago
Yes, the behaviour hasn't changed in either 3.6.13 or 4 Beta 8. even if the token is authenticated on the OS level FireFox will continue to prompt for the PIN.
(Reporter)

Updated

7 years ago
OS: Windows Vista → Windows 7
No reply, INCOMPLETE. Please retest with Firefox 3.6.13 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INCOMPLETE
(Reporter)

Comment 5

7 years ago
I have deleted my profile and recreated a new one. The device now doesn't prompt for a password, but is also not used in certificate selection.

When I try to log into e.g. https://sbpvpn.schubergphilis.com/+CSCOE+/logon.html?a0=86&a1=&a2=&a3=1&reason=1 which should as me if I want to present my eToken certificate (I have it set to prompt me) only does that if I manually log into my token first via Tools->Options->Advanced->Security devices
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---

Updated

7 years ago
Whiteboard: [CLOSEME 2011-1-30]

Updated

7 years ago
Version: unspecified → 4.0 Branch
This bug was reported using a pre-release version of Firefox 4. Now that Firefox 4.0.1 final has been released, can you please update and retest your bug? A fresh profile would be a good starting place to test, 
http://support.mozilla.com/kb/Managing+profiles. If you continue to see the issue, can you please update this bug with your results?

Filter: firefox4prebugsunco

Comment 7

4 years ago
I am using latest (v26) firefox version, still encountering the same behaviour.

Comment 8

4 years ago
UA: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.