657538 - Doesn't back off to NTLM after SPNEGO/Negotiate failure

Status: UNCONFIRMED

(Core :: Networking: HTTP, defect, P5)

Description

[nicholas.woo]

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.1.4322; InfoPath.2; MS-RTC LM 8)
Build Identifier: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

1. Point Firefox to a intranet site hosted by an IIS server.
2. Server responds with a with a WWW-Authenticate header specifying both Negotiate and NTLM to the initial GET.
3. Firefox tries to init security context using a SPN containing the CNAME from DNS.  
4. Above operation fails with a GSS exception such as "Server not found in Kerberos database".

Reproducible: Always

Steps to Reproduce:
See details.

Actual Results:  
Firefox pops up with its own dialog box asking for user credentials.

Expected Results:  
Firefox should retry authentication using NTLM.  There is no evidence that it even launches /usr/.bin/ntlm_auth.

network.automatic-ntlm-auth.trusted-uris;intel.com
network.negotiate-auth.delegation-uris;intel.com
network.negotiate-auth.trusted-uris;intel.com

Comment 1

[David Woodhouse]

How is this different to the NTLM behaviour when network.negotiate-auth.trusted-uris is unset? It doesn't try to run ntlm_auth *then* either (bug 554122).

Is that fact that it tried negotiate first actually relevant?

Comment 2

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258