Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Authentication not using Kerberos

more options

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication.

We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox.

Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication. We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox. Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

All Replies (3)

more options

As the first step, you need to "whitelist" host names for those servers in Firefox's preferences. See: https://developer.mozilla.org/docs/Integrated_Authentication

There is also a discussion in this article: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

Interactively, you can make changes in about:config which results in changes to the current prefs.js file. For deployment/management, you usually would use an AutoConfig file.

more options

The configuration is not the problem. We have both the trusted and delegation uris configured. Kerberos works fine in Firefox against other hosts on the same network. Kerberos also works fine against this host in IE. The only issue is with this particular host and Firefox and as I said above the only difference I can determine is that this particular host uses Kernel Mode Authentication.

Also, when I watch on the server it does perform a preauth check as if it is going to do a Kerberos request but Firefox seems to fallback to NTLM when it does the actual authentication.

I need to figure out why Firefox is performing this fallback to NTLM.

more options

I didn't see anything in Bugzilla that seemed relevant to this (https://bugzilla.mozilla.org/), but I may not have used the right search terms.

If you don't find anything quickly, you may want to file a new bug so you can engage with the developers on tracing what's going on.

This bug fixed in Firefox 20 illustrates the kind of analysis you might participate in: #857291 – SPNEGO / MS KRB5 no longer working. Tries to use NTLM SSP instead.

I also saw a report that Firefox would fall back to NTLM on a non-standard port, but that doesn't sound relevant to your configuration: (#497057 – FireFox cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port]).

Modified by jscher2000 - Support Volunteer