If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Strange comportement with Kerberos

UNCONFIRMED
Unassigned

Status

()

Core
Networking: HTTP
P3
normal
UNCONFIRMED
4 years ago
9 days ago

People

(Reporter: bpn, Unassigned)

Tracking

23 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-backlog][ntlm])

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130814063812

Steps to reproduce:

Environment :

KDC : Active Diretory Domain (Windows 2008 Server R2)
Reverse Proxy : Apache 2.2.15
Apache Auth Modules : mod_auth_kerb 5.4
Browser : Firefox 23.0.1

----------

Im using SSO (Signle Sign On) to authenticate users in an intranet infrastructure with AD, Apache and Firefox.
So i have configured the "network.negotiate-auth.trusted-uris" on my AD domain.

Authentification is working well but, there is a strange comportement that I don't understand.


Actual results:

The workflow with Firefox is like that :

1.  Client ==>  GET / without kerberos token             ==> Reverse Proxy.
2.  Client <==    Error 401: Unauthorized                  <== Reverse Proxy.
3.  Client ==>  GET / with kerberos token                 ==> Reverse Proxy.
4.  Client <==    HTTP Code 200: Ok: Send resource  <== Reverse Proxy.
5.  Client ==>  GET /toto WITHOUT kerberos token    ==> Reverse Proxy.
6.  Client <==    Error 401: Unauthorized                  <== Reverse Proxy.
7.  Client ==>  GET /toto WITH kerberos token          ==> Reverse Proxy.
8.  Client <==    HTTP Code 200: Ok: Send resource  <== Reverse Proxy.
9.  Client ==>  GET /boby WITHOUT kerberos token    ==> Reverse Proxy.
10. Client <==    Error 401: Unauthorized                  <== Reverse Proxy.
11. Client ==>  GET /boby WITH kerberos token         ==> Reverse Proxy.
12. Client <==    HTTP Code 200: Ok: Send resource  <== Reverse Proxy.

Firefox always need to get a 401 error to send a Kerberos token.


Expected results:

The intended workflow is like that :

1.  Client ==>  GET / without kerberos token             ==> Reverse Proxy.
2.  Client <==    Error 401: Unauthorized                  <== Reverse Proxy.
3.  Client ==>  GET / with kerberos token                 ==> Reverse Proxy.
4.  Client <==    HTTP Code 200: Ok: Send resource  <== Reverse Proxy.
5.  Client ==>  GET /toto WITH kerberos token          ==> Reverse Proxy.
6.  Client <==    HTTP Code 200: Ok: Send resource  <== Reverse Proxy.
7.  Client ==>  GET /boby WITH kerberos token         ==> Reverse Proxy.
8.  Client <==    HTTP Code 200: Ok: Send resource  <== Reverse Proxy.

Other browsers are acting like that (Internet Explorer).
Only one 401 error is necessary to send Authorization Header automatically for next requests.

Is it a normal comportement ?
Is there a bugfix to do ?

Updated

4 years ago
Component: Networking → Networking: HTTP
Whiteboard: [necko-backlog][ntlm]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
You need to log in before you can comment on or make changes to this bug.