Closed Bug 240643 Opened 21 years ago Closed 20 years ago

Suppress bogus Kerberos prompt on Mac OSX [was: Autthentication Failover not fully supported between connection based Authentication Types]

Categories

(Core :: Networking: HTTP, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla1.8alpha2

People

(Reporter: cneberg, Assigned: darin.moz)

Details

(Keywords: fixed-aviary1.0, fixed1.7.5)

Attachments

(1 file, 2 obsolete files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 With every new connection all of the auth types are tried in order if all of the types don't support re-using the cached challenge. They ignore what worked previously. This is why on a Mac users retrieve repeated Kerberos prompts to get credentials. If they click cancel on the prompt they will get another prompt later, when a new connection is made. I can think of two possible solutions. 1. Turn prompting off for Negotiate on Mac OS X. (I have a patch to do this, but it doesn't solve the general problem). But if the problem is server side, it will still re-try and fail with every new connection. 2. Find some way of caching the last successful authentication type for a particular server and try that first. This is already done for authentication types where the challenge can be reused, but not types like NTLM or Negotiate that don't re-use a challenge. Reproducible: Didn't try Steps to Reproduce:
Attached patch Mac OS X patch to disable prompting (obsolete) (deleted) — Splinter Review
Adding myself to the CC list, and hoping that someone can help review this patch soon. The kerberos prompting occurs repeatedly during an Outlook Web Access session, and can get a little frustrating if one uses Mozilla or Firebird on Mac to read mail.
I agree we should at least start discussing this problem I'm not sure if this is the correct solution though. From your comments in the other bug (Bug 238316), it seems in your situation you don't have kerberos credentials at all. So for the time being you should disable SPNEGO support since it is really of no value to you and at this point is mainly an annoyance. (http://bugzilla.mozilla.org/show_bug.cgi?id=238316#c18) I don't know how common your problem is, most people who have an IIS box which is new enough to support Integrated Windows authentication, are also using Active Directory which supports kerberos.
Thank you, the suggested change to suppress the kerberos authentication worked well in both Moz and Firefox. Both can now log in securely to Exchange 2000 without seeing the extraneous authentication dialog. Not a fix, but a workaround. Thanks.
Comment on attachment 146225 [details] [diff] [review] Mac OS X patch to disable prompting r+sr=darin I'm happy to get this into the tree if it will stave off problems like this. If there is something better that we should be doing instead, we can always back this out and do that instead.
Attachment #146225 - Flags: superreview+
Attachment #146225 - Flags: review+
Perhaps we should try to get this in for FFox 1.0 and Moz 1.7.1?
Flags: blocking1.7.1?
Flags: blocking-aviary1.0?
Target Milestone: --- → mozilla1.8alpha2
Attached patch version of patch checked in on the trunk (obsolete) (deleted) — Splinter Review
Attachment #146225 - Flags: approval1.7.1?
fixed-on-trunk
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
I guess this means that this bug has morphed a bit. It was about fixing the more generic problem. However, I'd rather we open a new bug if there is indeed more work to be done. Since we want to get this patch into 1.7.1 and ffox 1.0, I think it simplifies project management to have separate bugs.
Summary: Autthentication Failover not fully supported between connection based Authentication Types → Suppress bogus Kerberos prompt on Mac OSX [was: Autthentication Failover not fully supported between connection based Authentication Types]
REOPENING this bug. the patch broke the tinderbox OSX builds.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #146225 - Flags: approval1.7.1?
Here's the build error from "Darwin 6.8 monkey": c++ -o nsNegotiateAuthGSSAPI.o -c -DOSTYPE=\"Darwin6.8\" -DOSARCH=\"Darwin\" -DHAVE_DEPENDENT_LIBS -DUSE_GSSAPI -I../../dist/include/xpcom -I../../dist/include/string -I../../dist/include/necko -I../../dist/include/pref -I../../dist/include/negotiateauth -I../../dist/include -I/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/obj/dist/include/nspr -I. -fPIC -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wno-long-long -fpascal-strings -no-cpp-precomp -fno-common -fshort-wchar -I/Developer/Headers/FlatCarbon -pipe -DNDEBUG -DTRIMMED -O -DMOZILLA_CLIENT -include ../../mozilla-config.h -Wp,-MD,.deps/nsNegotiateAuthGSSAPI.pp /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp: In member function `virtual nsresult nsNegotiateAuth::GetNextToken(const void*, unsigned int, void**, PRUint32*)': /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224: ` KLBoolean' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224: (Each undeclared identifier is reported only once for each function it appears in.) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224: parse error before `;' token /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` kerberosVersion_V5' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` found' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` KLCacheHasValidTickets' undeclared (first use this function) /builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225: ` klNoErr' undeclared (first use this function) I guess that we are missing some header file???
Attached patch added missing header (deleted) — Splinter Review
Patch was just missing a header. Checked in to trunk.
Attachment #146225 - Attachment is obsolete: true
Attachment #151876 - Attachment is obsolete: true
Thanks Javier!!
marking FIXED again.
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Comment on attachment 151884 [details] [diff] [review] added missing header would be good to get this on the 1.7 branch. only affects Mac OSX users.
Attachment #151884 - Flags: approval1.7.1?
Comment on attachment 151884 [details] [diff] [review] added missing header a=mkaply
Attachment #151884 - Flags: approval1.7.1? → approval1.7.1+
fixed1.7.1
Flags: blocking1.7.1?
Keywords: fixed1.7.1
Whiteboard: needed-aviary1.0?
Darin, can you land this on the aviary branch as well?
Whiteboard: needed-aviary1.0? → needed-aviary1.0
fixed-aviary1.0 actually, i ported the entire trunk spnego+ntlm code onto the aviary 1.0 branch, see bug 246861.
Whiteboard: needed-aviary1.0 → fixed-aviary1.0
er, i meant see bug 237586.
Flags: blocking-aviary1.0?
Keywords: fixed-aviary1.0
Whiteboard: fixed-aviary1.0
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: