NTLM over GSSAPI/SPENGO authentication
I am testing NTLM over GSSAPI/SPENGO functionality that our proxy supports.
On mac (OSX 10.8.2), I have got FF (15.0) browser. I have added the proxy to the browser, updated network.negotiate-auth.trusted-uri, network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uri tp point to the forward proxy I am using.
When I browse a website, here is what happens -
(proxy to FF) Proxy-Authenticate: Negotiate
(FF to proxy) Proxy-Authorization: Negotiate YEgGBisGAQUFAqA+MDygDjAMBgorBgEEAYI3AgIKoioEKE5UTE1TU1AAAQAAAAUCiGIAAAAAGAAAAAAAAAAYAAAABgGwHQ8AAAA=
(proxy to FF) Proxy-Authenticate: Negotiate oYHyMIHvoAMKAQGhDAYKKwYBBAGCNwICCqKB2QSB1k5UTE1TU1AAAgAAAAoACgAwAAAABQKJYvNEPJKZ57ZWAAAAAAAAAACcAJwAOgAAAFcAMgAwADAAOAACAAoAVwAyADAAMAA4AAEAFgBWAE0AMQAwAEIAUwBEADAAMgA3ADMABAAoAGQAZQB2AC4AcwBiAHIALgBpAHIAbwBuAHAAbwByAHQALgBjAG8AbQADAEAAdgBtADEAMABiAHMAZAAwADIANwAzAC4AZABlAHYALgBzAGIAcgAuAGkAcgBvAG4AcABvAHIAdAAuAGMAbwBtAAAAAAA=
Then FF does not respond back, instead shows "This Page Cannot Be Displayed" When I did packetcapture, it shows that FF tries to do NTLMSSP over SPENGO and sends "negTokenInit" with NTLMSSP_NEGOTIATE. When Proxy sends "negTokenTarg" with NTLMSSP_CHALLENGE, the browser does not respond back.
Please let me know if you need any more information.
Additional System Details
- Version 184.108.40.20692
- Google Talk Plugin Video Accelerator version:0.1.44.23
- Shockwave Flash 11.5 r502
- Displays Java applet content, or a placeholder if Java is not installed.
- WebEx64 General Plugin Container Version 205
- The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
- Microsoft Office for Mac SharePoint Browser Plug-in
- Office Live Update v1.0
- Adobe Shockwave for Director Netscape plug-in, version 11.6.5
- Picasa plugin.
- npmnqmp 071706000001
- User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0) Gecko/20100101 Firefox/15.0
Try updating to Firefox 18.0.2 first, the proxy support has been improved in that version.
I tried 18.0.2, I see same issue. FF does not respond to NTLM_CHALLENGE over GSSAPI.
Looks like I have the issue as explained in section - "Negotiate external libraries" at http://dev.chromium.org/developers/design-documents/http-authentication