Firefox 102 with IBM Webseal PKI logon
Forgive me if I am not describing this correctly but really need help, if you ask me questions back, I will be happy to answer once I find that answer to your question. The issue we are experiencing is not my area of expertiese but no one in my org can find an answer so here I am.
We have not migrated our enterprise above Firefox ESR 91.x as of yet, we have some internal sites that use IBM Webseal to provide SSO and some of that functionality is broken in version 102.x and above. There are three options on the frontend page to use RSA token, PKI logon and username/password: each one a separate choice for the end user experience. RSA and Username/password work without issue but PKI logon does not, once you click on the logon button it is supposed to grab the certificate from your PKI card and use it to logon to the web application, but it does not seem to complete this process instead it proceeds to another page almost immediately that reads Error An attempt to authenticate with a client certificate failed. A valid client certificate is required to make this connection. Click here to return to the authentication page. DPWWA1124W A client certificate could not be authenticated. Our web developers have opened a ticket with IBM and from what I was told after troubleshooting and traffic capture, they never see the certificate make it to the backend for authentication and it is a Firefox issue because Google and MS Edge work just fine. Because of this IBM closed the case.
Has anyone experienced this issue and know of a fix or is there any suggestions as to what we can look for as an attempt to fix this issue? What has changed between version 91.x to 102.x ESR (we have tried the RRs and it is an issue there also)? Is this a bug in Firefox?
All Replies (9)
Can you check the preference:
security.osclientcerts.autoload
in about:config to see what it is set to in both case? And try flipping it and see if it helps?
We have a tool we use to find regressions:
https://mozilla.github.io/mozregression/
If you could use that to try to see when the problem started, that would help
So I downloaded the Mozilla regression testing tool, and it seemed a little clunky to get working. I would put a release version of 91 to be the last known good to work and 102 as the first bad to not work and it would let me test a few versions, getting to a specific step and then not work at all from there. I had to close the program and relaunch it to get it to work.
I got tired of doing that but if it absolutely needs to be done, I can try again. To make a long story short of how many versions I downloaded I will skip to, I downloaded Firefox RR 93.0 and installed on my laptop. I can get our internal website to log me on using PKI, when I click on the logon button it prompts me to choose my one and only certificate, I click ok and then I am prompted for my pin and once input I am in the website.
I downloaded Firefox 94.0 RR and it would not work even if I toggled security.osclientcerts.autoload to true or false. I went a step further and downloaded Firefox 94.0b1 and installed that with the same broken results.
Let me know if I should go back to the regression tool. Mind you we only deploy the ESR version which is why we didn’t catch this issue until 102.0 ESR was released, the previous version of ESR to 102 is 91.13. something changed between 93 and 94 that broke our functionality, let me know if you need me to try anything else, please, I will be happy to get this resolved.
I have been looking at Firefox 94 RR release notes, could this be an issue with Site Isolation? I see that it was implemented as a new security feature, per the release notes a URL is provided and bring me to this site to read up on Site Isolation.
I wonder if it's possible it's total cookie protection.
See
https://support.mozilla.org/en-US/kb/total-cookie-protection-and-website-breakage-faq
Can you go to about:config and check the value of network.cookie.cookieBehavior and try setting it to 4?
Mike I really appreciate your help but that did not seem to solve my issue, the setting was already at 4 but I did try changing that setting from zero thru 5 and none of that helped. I removed 2 machines from our Firefox GPO settings and those settings are really nothing more that disabling auto updates and setting a home page and proxy settings. I also eliminated our proxy by removing those settings but because it is an internal site, I didn't think the proxy would have any effect on it and it didn't.
I did email the admins in charge of the broken page and being that we are part of a global org they reached out to their counterparts. Long story short they are considering a large re-work of the site that doesn't work but I was told that could take months to complete.
If you have any other suggestions, it would be appreciated. Thanks in advance.
I think at this point we should open a bug in bugzilla:
https://bugzilla.mozilla.org/home
And try to get some other developers to look at it.
It definitely sounds like a Firefox bug.
They can help with logging and other things.
Would you be willing to open a bug?
Mike, I did file a bug thru bugzilla but because this is the first time I did this and it is an internal site I filed anonymously. How will I know if they reach out to me, I want to help get this solved but also don't want to post an internal URL or my email address publicly, to me this screams out my company has not upgraded Firefox and any security holes are open for anyone to take a shot at.
How will I know when and if they reach out to me if I posted anonymously or should I go back and post another way?
We can make a bug employee only if there will be private information in the bug. Feel free to reach out to me directly - mkaply at mozilla.com
Mike I sent you a personal email about this subject on 11/10/2022 at 7:08 AM EST, I sent it to the email address you specified above. I am trying to confirm you received the message and we are going to file a bug employee only. Let me know if I did this correctly and if you need anything additional from me.