X
Tap here to go to the mobile version of the site.

Support Forum

Authentication not using Kerberos

Posted

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication.

We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox.

Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication. We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox. Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 11.0.13
  • A plugin to detect whether the Adobe Application Manager is installed on this machine.
  • Citrix Online App Detector Plugin
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • The plugin allows you to have a better experience with Microsoft Lync
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Shockwave Flash 20.0 r0
  • 5.1.41105.0

Application

  • Firefox 42.0
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
  • Support URL: https://support.mozilla.org/1/firefox/42.0/WINNT/en-US/

Extensions

  • FiddlerHook 2.6.0.4 (fiddlerhook@fiddler2.com)
  • Adobe Acrobat - Create PDF 2.0 (web2pdfextension@web2pdf.adobedotcom) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: ATI Radeon HD 3450 - Dell Optiplex
  • adapterDescription2:
  • adapterDeviceID: 0x95c5
  • adapterDeviceID2:
  • adapterDrivers: atiu9p64 atiuxp64 atiu9pag atiuxpag atiumdva atiumd6a atitmm64
  • adapterDrivers2:
  • adapterRAM: 256
  • adapterRAM2:
  • adapterSubsysID: 03421028
  • adapterSubsysID2:
  • adapterVendorID: 0x1002
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.17568
  • driverDate: 12-6-2011
  • driverDate2:
  • driverVersion: 8.922.0.0
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d 1.1', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d 1.1', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • supportsHardwareH264: True
  • webglRenderer: Google Inc. -- ANGLE (ATI Radeon HD 3450 - Dell Optiplex Direct3D11 vs_4_1 ps_4_1)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
jscher2000
  • Top 10 Contributor
8794 solutions 71950 answers

As the first step, you need to "whitelist" host names for those servers in Firefox's preferences. See: https://developer.mozilla.org/docs/Integrated_Authentication

There is also a discussion in this article: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

Interactively, you can make changes in about:config which results in changes to the current prefs.js file. For deployment/management, you usually would use an AutoConfig file.

As the first step, you need to "whitelist" host names for those servers in Firefox's preferences. See: https://developer.mozilla.org/docs/Integrated_Authentication There is also a discussion in this article: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM Interactively, you can make changes in about:config which results in changes to the current prefs.js file. For deployment/management, you usually would use an AutoConfig file.

Question owner

The configuration is not the problem. We have both the trusted and delegation uris configured. Kerberos works fine in Firefox against other hosts on the same network. Kerberos also works fine against this host in IE. The only issue is with this particular host and Firefox and as I said above the only difference I can determine is that this particular host uses Kernel Mode Authentication.

Also, when I watch on the server it does perform a preauth check as if it is going to do a Kerberos request but Firefox seems to fallback to NTLM when it does the actual authentication.

I need to figure out why Firefox is performing this fallback to NTLM.

The configuration is not the problem. We have both the trusted and delegation uris configured. Kerberos works fine in Firefox against other hosts on the same network. Kerberos also works fine against this host in IE. The only issue is with this particular host and Firefox and as I said above the only difference I can determine is that this particular host uses Kernel Mode Authentication. Also, when I watch on the server it does perform a preauth check as if it is going to do a Kerberos request but Firefox seems to fallback to NTLM when it does the actual authentication. I need to figure out why Firefox is performing this fallback to NTLM.
jscher2000
  • Top 10 Contributor
8794 solutions 71950 answers

Helpful Reply

I didn't see anything in Bugzilla that seemed relevant to this (https://bugzilla.mozilla.org/), but I may not have used the right search terms.

If you don't find anything quickly, you may want to file a new bug so you can engage with the developers on tracing what's going on.

This bug fixed in Firefox 20 illustrates the kind of analysis you might participate in: #857291 – SPNEGO / MS KRB5 no longer working. Tries to use NTLM SSP instead.

I also saw a report that Firefox would fall back to NTLM on a non-standard port, but that doesn't sound relevant to your configuration: (#497057 – FireFox cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port]).

I didn't see anything in Bugzilla that seemed relevant to this ([https://bugzilla.mozilla.org/]), but I may not have used the right search terms. If you don't find anything quickly, you may want to file a new bug so you can engage with the developers on tracing what's going on. This bug fixed in Firefox 20 illustrates the kind of analysis you might participate in: [https://bugzilla.mozilla.org/show_bug.cgi?id=857291 #857291 – SPNEGO / MS KRB5 no longer working. Tries to use NTLM SSP instead.] I also saw a report that Firefox would fall back to NTLM on a non-standard port, but that doesn't sound relevant to your configuration: ([https://bugzilla.mozilla.org/show_bug.cgi?id=497057 #497057 – FireFox cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port]]).

Modified by jscher2000