X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

NTLM over GSSAPI/SPENGO authentication

Posted

I am testing NTLM over GSSAPI/SPENGO functionality that our proxy supports.

On mac (OSX 10.8.2), I have got FF (15.0) browser. I have added the proxy to the browser, updated network.negotiate-auth.trusted-uri, network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uri tp point to the forward proxy I am using.

When I browse a website, here is what happens -

(proxy to FF) Proxy-Authenticate: Negotiate

(FF to proxy) Proxy-Authorization: Negotiate YEgGBisGAQUFAqA+MDygDjAMBgorBgEEAYI3AgIKoioEKE5UTE1TU1AAAQAAAAUCiGIAAAAAGAAAAAAAAAAYAAAABgGwHQ8AAAA=

(proxy to FF) Proxy-Authenticate: Negotiate oYHyMIHvoAMKAQGhDAYKKwYBBAGCNwICCqKB2QSB1k5UTE1TU1AAAgAAAAoACgAwAAAABQKJYvNEPJKZ57ZWAAAAAAAAAACcAJwAOgAAAFcAMgAwADAAOAACAAoAVwAyADAAMAA4AAEAFgBWAE0AMQAwAEIAUwBEADAAMgA3ADMABAAoAGQAZQB2AC4AcwBiAHIALgBpAHIAbwBuAHAAbwByAHQALgBjAG8AbQADAEAAdgBtADEAMABiAHMAZAAwADIANwAzAC4AZABlAHYALgBzAGIAcgAuAGkAcgBvAG4AcABvAHIAdAAuAGMAbwBtAAAAAAA=


Then FF does not respond back, instead shows "This Page Cannot Be Displayed" When I did packetcapture, it shows that FF tries to do NTLMSSP over SPENGO and sends "negTokenInit" with NTLMSSP_NEGOTIATE. When Proxy sends "negTokenTarg" with NTLMSSP_CHALLENGE, the browser does not respond back.

Please let me know if you need any more information.

Additional System Details

Installed Plug-ins

  • Version 3.13.2.11592
  • Google Talk Plugin Video Accelerator version:0.1.44.23
  • Shockwave Flash 11.5 r502
  • Displays Java applet content, or a placeholder if Java is not installed.
  • WebEx64 General Plugin Container Version 205
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
  • Microsoft Office for Mac SharePoint Browser Plug-in
  • Office Live Update v1.0
  • Adobe Shockwave for Director Netscape plug-in, version 11.6.5
  • Picasa plugin.
  • npmnqmp 071706000001
  • iPhoto6

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0) Gecko/20100101 Firefox/15.0

More Information

Tyler Downer
  • Administrator
  • Moderator
1165 solutions 6641 answers

Try updating to Firefox 18.0.2 first, the proxy support has been improved in that version.

Question owner

I tried 18.0.2, I see same issue. FF does not respond to NTLM_CHALLENGE over GSSAPI.

Question owner

Looks like I have the issue as explained in section - "Negotiate external libraries" at http://dev.chromium.org/developers/design-documents/http-authentication