Closed Bug 973640 Opened 10 years ago Closed 5 years ago

NTLM Auth Dialog doesn't show up

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Version:
30 Branch
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: simon.sperling, Unassigned)

References

Details

(Whiteboard: [necko-backlog][ntlm]) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release)
Build ID: 20140216030203

Steps to reproduce:

I contacted a NTLM secured webpage with the current Nightly Build. The problem wasn't happening in builds before 2014-02-11 or in current Aurora Builds.


Actual results:

No Auth Dialog showed up. Only a 401 Authorization Required page.


Expected results:

There should be a Auth Dialog as in build before 2014-02-11 or in current Aurora Builds.
maybe a dup of 973207 - can you check again after that fix lands in nightly?
Flags: needinfo?(simon.sperling)
Has this fix landed yet? There aren't any changes with the last couple of updates.
Flags: needinfo?(simon.sperling)
goto about:buildconfig of the latest nightly you have with this problem and report back the line that looks like this:

Built from https://hg.mozilla.org/mozilla-central/rev/bf0e76f2a7d4
(In reply to simon.sperling from comment #4)
> Built from https://hg.mozilla.org/mozilla-central/rev/6e3ec93efe1d

yes, that has 973207 - so its not a dup.

we did remove ntlmv1 support on non windows platforms.. but I think you are suggesting a regression date that is after that time. bug 828183

can you use moz-regression to identify the closest range available?

https://quality.mozilla.org/docs/bugzilla/guide-to-triaging-bugs-for-firefox/finding-a-regression-window/
In Firefox Nightly on Linux happen the same and block surf on Internet.
In Windows if set network.auth.force-generic-ntlm preference to true can't surf.
Looks like this made it through to release; it broke in Nightly a while ago on Mac OS X; currently broken on "Firefox 30.0 canonical-1.0", as well.  If I set "network.negotiate-auth.allow-insecure-ntlm-v1", things start working again for me.  It looks like this change is indeed related to bug 828183 -- the description for which says:

  Companies and organizations still deploying the older protocol should upgrade to NTLMv2. If you encounter any problems with NTLM auth on Firefox 30 and above, you can manually enable NTLMv1 using a preference. Note that NTLMv2 is not supported on non-Windows platforms, so OS X and Linux users have to toggle the preference to continue using NTLMv1, though the NTLM auth support on non-Windows platforms is considered deprecated. 

  (ref: https://developer.mozilla.org/en-US/Firefox/Releases/30/Site_Compatibility#Security )

The upshot of this is that Firefox 30+ breaks NTLM entirely on OS X and Linux, since there is not NTLMv2 support, and NTLMv1 support was disabled; NTLM-only sites (usually, corporate intranets, like mine) then break.  (This seems like something of an oversight, although the status quo of NTLMv1 was not very good, I'll admit.)

Users, you can set the above preference in order to keep things working the way they were.
Is there any way to make the root cause of this issue visible to the user?
If I understand this correctly, the server sends a 401 with WWW-Authenticate: NTLM
and because Firefox is choosing not to support this, it is terminating the conversation at that point - that is surely worth some sort of notification?  Otherwise people stop using Firefox and use another browser because "it works" without necessarily understanding why and trying to get something done about it.
See Also: → 1008855
See Also: → 1024128
Comment 8... you are so right.. I went to use Chrome because I need to work. I cannot wait until there's a decission on this. Now I hear about the work around (I will try it in a few).

However, I don't know that companies will switch to NTLMv2 any time soon. If you ever worked in a big corporation you'll know how long it takes to propagate that kind of changes. I know for a fact that if I go to my CTO with "change to NTLMv2" he'll be like "why? we're in the intranet and this is working".
(In reply to Joshua Wise from comment #7)
> Looks like this made it through to release; it broke in Nightly a while ago
> on Mac OS X; currently broken on "Firefox 30.0 canonical-1.0", as well.  If
> I set "network.negotiate-auth.allow-insecure-ntlm-v1", things start working
> again for me.  It looks like this change is indeed related to bug 828183 --
> the description for which says:
> 
>   Companies and organizations still deploying the older protocol should
> upgrade to NTLMv2. If you encounter any problems with NTLM auth on Firefox
> 30 and above, you can manually enable NTLMv1 using a preference. Note that
> NTLMv2 is not supported on non-Windows platforms, so OS X and Linux users
> have to toggle the preference to continue using NTLMv1, though the NTLM auth
> support on non-Windows platforms is considered deprecated. 
> 
>   (ref:
> https://developer.mozilla.org/en-US/Firefox/Releases/30/
> Site_Compatibility#Security )
> 
> The upshot of this is that Firefox 30+ breaks NTLM entirely on OS X and
> Linux, since there is not NTLMv2 support, and NTLMv1 support was disabled;
> NTLM-only sites (usually, corporate intranets, like mine) then break.  (This
> seems like something of an oversight, although the status quo of NTLMv1 was
> not very good, I'll admit.)
> 
> Users, you can set the above preference in order to keep things working the
> way they were.

What I don't understand is why Firefox is taking a stand on this. Allowing NTLMv1 in Firefox is not what would cause a server attack on the server. In order to do that kind of attack a hacker needs other tools. In other words, Firefox is not involved in the mix. Therefore it is the responsibility of the companies to change to the corresponding protocol, not the browser.
This will not make companies switch the protocol: having their Firefox users suddenly not being able to connect. This will only make companies force their users to move to IE as "Firefox is weird and we can't be sure what's the deal there" (I literally heard this)
Can someone confirm that NTMLv2 on OS X is working by default on Firefox 30? (again: I am talking about NTMLv2 here, not NTMLv1.) The IT division of my employer says they use NTMLv2 and I can't login anymore since Firefox 30 on OS X. They even explicitly mention Firefox 30 on OS X and broken NTMLv2 on the error page I am redirected to and the page also says – in substance – that this is Mozilla's fault. I work for a company of over 50.000 employees, I hope other companies are not doing the same, that would be very damaging for Mozilla.

I am a bit skeptical about this error message from the IT department because when I enable NTMLv1, I can login. So, best case, they use both NTMLv1 and NTMLv2.
Whiteboard: [necko-backlog][ntlm]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3

Is this a complaint that NTML v1 doesn't work by default? That's intentional, so closing as wontfix.

The solution is to configure servers to offer NTML v2, right?

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.