Closed
Bug 240643
Opened 21 years ago
Closed 20 years ago
Suppress bogus Kerberos prompt on Mac OSX [was: Autthentication Failover not fully supported between connection based Authentication Types]
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
mozilla1.8alpha2
People
(Reporter: cneberg, Assigned: darin.moz)
Details
(Keywords: fixed-aviary1.0, fixed1.7.5)
Attachments
(1 file, 2 obsolete files)
(deleted),
patch
|
mkaply
:
approval1.7.5+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
With every new connection all of the auth types are tried in order if all of the
types don't support re-using the cached challenge. They ignore what worked
previously. This is why on a Mac users retrieve repeated Kerberos prompts to
get credentials. If they click cancel on the prompt they will get another
prompt later, when a new connection is made.
I can think of two possible solutions.
1. Turn prompting off for Negotiate on Mac OS X. (I have a patch to do this,
but it doesn't solve the general problem). But if the problem is server side, it
will still re-try and fail with every new connection.
2. Find some way of caching the last successful authentication type for a
particular server and try that first. This is already done for authentication
types where the challenge can be reused, but not types like NTLM or Negotiate
that don't re-use a challenge.
Reproducible: Didn't try
Steps to Reproduce:
Reporter | ||
Comment 1•21 years ago
|
||
Comment 2•20 years ago
|
||
Adding myself to the CC list, and hoping that someone can help review this patch
soon. The kerberos prompting occurs repeatedly during an Outlook Web Access
session, and can get a little frustrating if one uses Mozilla or Firebird on Mac
to read mail.
Reporter | ||
Comment 3•20 years ago
|
||
I agree we should at least start discussing this problem I'm not sure if this is
the correct solution though.
From your comments in the other bug (Bug 238316), it seems in your situation you
don't have kerberos credentials at all. So for the time being you should disable
SPNEGO support since it is really of no value to you and at this point is mainly
an annoyance. (http://bugzilla.mozilla.org/show_bug.cgi?id=238316#c18)
I don't know how common your problem is, most people who have an IIS box which
is new enough to support Integrated Windows authentication, are also using
Active Directory which supports kerberos.
Comment 4•20 years ago
|
||
Thank you, the suggested change to suppress the kerberos authentication worked
well in both Moz and Firefox. Both can now log in securely to Exchange 2000
without seeing the extraneous authentication dialog. Not a fix, but a workaround.
Thanks.
Assignee | ||
Comment 5•20 years ago
|
||
Comment on attachment 146225 [details] [diff] [review]
Mac OS X patch to disable prompting
r+sr=darin
I'm happy to get this into the tree if it will stave off problems like this.
If there is something better that we should be doing instead, we can always
back this out and do that instead.
Attachment #146225 -
Flags: superreview+
Attachment #146225 -
Flags: review+
Assignee | ||
Comment 6•20 years ago
|
||
Perhaps we should try to get this in for FFox 1.0 and Moz 1.7.1?
Flags: blocking1.7.1?
Flags: blocking-aviary1.0?
Target Milestone: --- → mozilla1.8alpha2
Assignee | ||
Comment 7•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #146225 -
Flags: approval1.7.1?
Assignee | ||
Comment 8•20 years ago
|
||
fixed-on-trunk
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•20 years ago
|
||
I guess this means that this bug has morphed a bit. It was about fixing the
more generic problem. However, I'd rather we open a new bug if there is indeed
more work to be done. Since we want to get this patch into 1.7.1 and ffox 1.0,
I think it simplifies project management to have separate bugs.
Summary: Autthentication Failover not fully supported between connection based Authentication Types → Suppress bogus Kerberos prompt on Mac OSX [was: Autthentication Failover not fully supported between connection based Authentication Types]
Assignee | ||
Comment 10•20 years ago
|
||
REOPENING this bug. the patch broke the tinderbox OSX builds.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Updated•20 years ago
|
Attachment #146225 -
Flags: approval1.7.1?
Assignee | ||
Comment 11•20 years ago
|
||
Here's the build error from "Darwin 6.8 monkey":
c++ -o nsNegotiateAuthGSSAPI.o -c -DOSTYPE=\"Darwin6.8\" -DOSARCH=\"Darwin\"
-DHAVE_DEPENDENT_LIBS -DUSE_GSSAPI -I../../dist/include/xpcom
-I../../dist/include/string -I../../dist/include/necko -I../../dist/include/pref
-I../../dist/include/negotiateauth -I../../dist/include
-I/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/obj/dist/include/nspr
-I. -fPIC -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith
-Wcast-align -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy
-Wno-non-virtual-dtor -Wno-long-long -fpascal-strings -no-cpp-precomp
-fno-common -fshort-wchar -I/Developer/Headers/FlatCarbon -pipe -DNDEBUG
-DTRIMMED -O -DMOZILLA_CLIENT -include ../../mozilla-config.h
-Wp,-MD,.deps/nsNegotiateAuthGSSAPI.pp
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:
In
member function `virtual nsresult nsNegotiateAuth::GetNextToken(const void*,
unsigned int, void**, PRUint32*)':
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224:
`
KLBoolean' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224:
(Each
undeclared identifier is reported only once for each function it appears
in.)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:224:
parse
error before `;' token
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
kerberosVersion_V5' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
found' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
KLCacheHasValidTickets' undeclared (first use this function)
/builds/tinderbox/SeaMonkey/Darwin_6.8_Depend/mozilla/extensions/negotiateauth/nsNegotiateAuthGSSAPI.cpp:225:
`
klNoErr' undeclared (first use this function)
I guess that we are missing some header file???
Comment 12•20 years ago
|
||
Patch was just missing a header. Checked in to trunk.
Attachment #146225 -
Attachment is obsolete: true
Attachment #151876 -
Attachment is obsolete: true
Assignee | ||
Comment 13•20 years ago
|
||
Thanks Javier!!
Assignee | ||
Comment 14•20 years ago
|
||
marking FIXED again.
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 15•20 years ago
|
||
Comment on attachment 151884 [details] [diff] [review]
added missing header
would be good to get this on the 1.7 branch. only affects Mac OSX users.
Attachment #151884 -
Flags: approval1.7.1?
Comment 16•20 years ago
|
||
Comment on attachment 151884 [details] [diff] [review]
added missing header
a=mkaply
Attachment #151884 -
Flags: approval1.7.1? → approval1.7.1+
Assignee | ||
Updated•20 years ago
|
Whiteboard: needed-aviary1.0?
Comment 18•20 years ago
|
||
Darin, can you land this on the aviary branch as well?
Whiteboard: needed-aviary1.0? → needed-aviary1.0
Assignee | ||
Comment 19•20 years ago
|
||
fixed-aviary1.0
actually, i ported the entire trunk spnego+ntlm code onto the aviary 1.0 branch,
see bug 246861.
Whiteboard: needed-aviary1.0 → fixed-aviary1.0
Assignee | ||
Comment 20•20 years ago
|
||
er, i meant see bug 237586.
Updated•20 years ago
|
Flags: blocking-aviary1.0?
Updated•20 years ago
|
Keywords: fixed-aviary1.0
Whiteboard: fixed-aviary1.0
You need to log in
before you can comment on or make changes to this bug.
Description
•