User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3 Build Identifier: version 1.5.0.2 (20060308) If Thunderbird is configured to use GSSAPI authentication on OS X, and the user does not have tickets or has expired tickets, an error dialog with the following is presented: You cannot log in to SERVERNAME because you have enabled secure authentication and this server does not support it. To log in, turn off secure authentication for this account. First, the error message is a lie, sicne the server does indeed support secure authentication (via GSSAPI). However, Thunderbird should not simply fail, but should instead use the appropriate function call to have the OS bring up the Kerberos login dialog. I believe that on Windows, when using MIT Kerberos for Windows, Thunderbird does the correct thing. Reproducible: Always Steps to Reproduce: 1. Configure Thunderbird to authenticate via GSSAPI 2. Don't get tickets. 3. Launch Thunderbird and see the error dialog. Expected Results: Prompt the user to get Kerberos tickets via the OS provided interface.

The prompting problem should be fixed on the trunk by bug #307788 - this fix hasn't been pulled into the 1.5 releases, as there was a desire to get more test exposure. The poor quality error message is a problem. I'll claim this bug and have a look at sorting the code so it can tell the difference between SASL mechanisms failing, and not being supported at all.

xref bug 370178, bug 278227

2.0.0.8 and higher should work according bug 307788

This bug is tracking the problem with the quality of the error messages when a SASL mechanism fails, not the issue with ticket prompting. This is still an issue - you can't tell when a mechanism has failed, and when one just isn't supported. Reopening, de-duplicating.

Reproduced with thunderbird-2.0.0.19-1.fc10.x86_64 Suggesting to switch Kerberos authentication just because my ticket has expired (and not telling me that -- even I could parse output of klist if worst comes to worst, but I guess Kerberos library provides better way how to do it), saying that is total crazy talk.

... and it is not platform dependent .. reproduced on Fedora 10

Yes, this is a general problem. The big issue is that at the moment, we don't get told that you _wanted_ to try Kerberos authentication, and there are a huge number of servers on the net that claim to support GSSAPI, but just don't. So, we try GSSAPI whenever we can, but hide the errors from the user and move on. If we can't move on, as in this case, the default error message comes up. None of this is ideal. I've got another bug open which concerns adding UI so that the user will explicitly request Kerberos - that will allow us to give users who know they are using Kerberos better errors when it fails.

Simon, is this still true in shredder nightlies? It's a bit hard to figure out from this bug. What's the other bug about the UI? Denying blocking or wanted status for now, could reconsider w/ more info.

David it is true for latest nightlies. It just silently fails for my case and tried next authentication. http://groups.google.com/group/mozilla.dev.apps.thunderbird/browse_thread/thread/bbae709de00d623e

David, other bug about UI is bug 370178

The patch in bug 525238 has the groundwork for this.

This should be fixed as part of bug 525238.