none
Firefox and Kerberos

    Question

  • I recall this happening to me when I was configuring new web app using Kerberos Auth in SP2013. Firefox render the site without any issue even though SPN wasn't created for that specific web app. Again while I'm waiting for creation of SPN just tested and found out Ie and chrome refuse to render while Firefox no problemo :)

    Anyone has logical explanation for this?

    Thursday, December 28, 2017 3:50 PM

Answers

  • Great question.  I just researched this, because I wasn’t exactly sure myself.  This may be because Firefox was already configured for SPNEGO (see below) support and therefore passed the client credentials to the remote web server even though there was no SPN configured.

    1. In the Firefox address field navigate to about:config
    2. Click past the warning of harmful consequences.
    3. Type negotiate-auth into the filter at the top of the page, in order to remove most of the irrelevant settings from the list.
    4. Double-click on network.negotiate-auth.trusted-uris. A dialogue box for editing the value should appear.
    5. Verify that you have familiar hostname(s) and/or URL prefix(es) from your Active Directory domain/Kerberos realm/network in this field.

    Note that the above does not talk about the requirement for an SPN.  As the Firefox web client has already made a connection to the remote server, this configuration sends the Kerberos service ticket onwards to that remote web server based on URL pattern being whitelisted in the network.negotiate-auth.trusted-uris parameter, even though no SPN is defined.

    References:

    Configure Firefox to authenticate using SPNEGO and Kerberos

    Firefox Integrated Authentication


    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, December 30, 2017 1:35 PM

All replies

  • Hi Asfaw Ayele,

    For Internet Explorer, ensure that the URLs for the web applications are in the intranet zone or a zone that is configured to automatically authenticate with Integrated Windows Authentication.

    This forum is for SharePoint 2016 on-premise, as this question is not regarding to SharePoint, I suggest you create a new thread on the pertinent forum.

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.

    Thank you for your understanding.

    Best Regards,

    Linda Zhang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 29, 2017 6:32 AM
    Moderator
  • Great question.  I just researched this, because I wasn’t exactly sure myself.  This may be because Firefox was already configured for SPNEGO (see below) support and therefore passed the client credentials to the remote web server even though there was no SPN configured.

    1. In the Firefox address field navigate to about:config
    2. Click past the warning of harmful consequences.
    3. Type negotiate-auth into the filter at the top of the page, in order to remove most of the irrelevant settings from the list.
    4. Double-click on network.negotiate-auth.trusted-uris. A dialogue box for editing the value should appear.
    5. Verify that you have familiar hostname(s) and/or URL prefix(es) from your Active Directory domain/Kerberos realm/network in this field.

    Note that the above does not talk about the requirement for an SPN.  As the Firefox web client has already made a connection to the remote server, this configuration sends the Kerberos service ticket onwards to that remote web server based on URL pattern being whitelisted in the network.negotiate-auth.trusted-uris parameter, even though no SPN is defined.

    References:

    Configure Firefox to authenticate using SPNEGO and Kerberos

    Firefox Integrated Authentication


    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, December 30, 2017 1:35 PM
  • Hello Todd,

    Thank you for your depth analysis and answer. But one thing still mysterious is "network.negotiate-auth.trusted-uris" value is blank. Is there any GPO or any other settings I can check? 

    Thank you again for your thoughtful answer.

    Wednesday, January 3, 2018 4:09 PM
  • That's fascinating.  The Firefox network.negotiate-auth.trusted-uris parameter is blank, yet it renders the page requiring Kerberos authentication anyway?  Scratching my head at this moment, as there is no Microsoft out-of-the-box GPO that controls Firefox.  SSO shouldn't work in Firefox if that parameter is blank, unless due to the way the web app is written it is accepting some previously cached session cookie.  If I think of something, I'll come back to this.

    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, January 4, 2018 1:02 AM
  • Yeah, it's very intriguing. I tried to trace using Fiddler and to your surprise Kerberos was listed. 
    Thursday, January 4, 2018 7:01 PM