[Mozilla Enterprise] Firefox ADFS 3.0 Kerberos SSO Best practices

Mickael CINIER/FGA/FR mickael.cinier at fgvictimes.fr
Tue Jul 28 13:30:42 UTC 2020 

Hello everyone,

In my company I recently deployed Firefox ESR 78.0.2, with an "oldschool" 
configuration style: we use a few policies in policies.json, we set 
preferences in a centralized .cfg file. No GPOs. 

I am asking for your help on a Firefox SSO issue with ADFS, using 
Kerberos. This authentication method works great with IE 11 and Chrome. My 
goal is to be able to perform Kerberos SSO without having to modify the 
ADFS parameter "ExtendProtectionTokenCheck", without using Forms Based 
Authentication, and without using the NTLM protocol.


For this, countless hours of Internet research seem to say that:
- I need to have my user agent in the ADFS parameter 
WIASupportedUserAgents  --> Done. I've added "Mozilla5/0", "Firefox" and 
"Firefox/78.0" to the existing list for testing, then restarted the adfs 
service (only 1 server in the adfs farm). The first one made Chrome SSO 
work.
 

- I need to put ".mydomain.fr" at least in the preference 
network.negotiate-auth.trusted-uris. For information, my IDP is part of 
this domain, --> Done. I've also tried putting it in 
network.negotiate-auth.delegation-uris and 
network.automatic-ntlm-auth.trusted-uris. I've tried to put more specific 
URIs.  I've also tried to set network.negotiate-auth.allow-proxies, 
network.automatic-ntlm-auth.allow-proxies,  
network.negotiate-auth.allow-non-fqdn, 
network.automatic-ntlm-auth.allow-non-fqdn and signon.autologin.proxy to 
true.


I have also tried:
- to mess with network.auth.use-sspi  and 
network.negotiate-auth.using-native-gsslib preferences

- to override Firefox's default useragent by setting the "general
.useragent.override" to "Firefox"

- to accept all cookies parameters I could find

Nothing works. During troubleshooting (I used the SAML Tracer extension 
for Firefox) I noticed that Firefox is first trying to negotiate 
authentication using Kerberos, then NTLM when it fails. When failing, I 
either get an Error 500 (internal server error, when 
network.auth.force-generic-ntlm is set to false) or 401 (unauthorized, 
when network.auth.force-generic-ntlm  is set to true).




On the ADFS side, WIA is the only Intranet authentication method, we do 
not want to enable FBA. For testing, if I change the 
ExtendedProtectionTokenCheck parameter from "Allow" to "None", SSO works 
but since it is a security parameter, we do not want to do that.


The question is: are there some uncommon Firefox / ADFS parameters that 
could interfere with Firefox's Kerberos authentication ? What are the best 
practices ?

Best regards




Mickael CINIER

 64 bis avenue Aubert 94300 VINCENNES
 01.73.73.56.05 - 


 
	Découvrez notre rapport annuel Fonds de garantie.

Voir le rapport


Consultez notre site internet www.fondsdegarantie.fr

Ce courrier électronique et ses éventuelles pièces jointes, envoyés par le 
Fonds de garantie, sont établis à l'intention exclusive de leur destinataire. 
Ils sont confidentiels, couverts et protégés par le secret professionnel. Si 
vous n'êtes pas destinataire de ce message, il vous est strictement interdit de 
le garder, de le distribuer, de le faire suivre ou de le copier. Merci d'en 
avertir immédiatement l'expéditeur par un message en retour et de supprimer la 
transmission originale.  Toute opinion exprimée dans ce message est personnelle 
à son auteur et ne saurait  nécessairement refléter celle du Fonds de garantie. 
L'Internet ne permettant pas d'assurer l'intégrité de ce message, le Fonds de 
garantie décline toute responsabilité au titre de ce message, dans l'hypothèse 
où il  aurait été modifié. La présence de cette note prouve également que ce 
message électronique a été vérifié  par un logiciel antivirus.

This e-mail and any attachment thereto, sent by Fonds de garantie, are intended 
solely for the addressee. It may contain privileged or confidential 
informations. If you are not the entended recipient, any retention, 
dissemination, distribution or copying of this message is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by return e-mail and delete the original transmission.  Any opinion 
expressed in this message may be personal to the author and may not necessarily 
reflect the opinion of Fonds de garantie. As the Internet cannot guarantee the 
integrity of this message, Fonds de garantie will not therefore be liable for 
the message if modified. Presence of this message also proves that an antivirus 
program has checked this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 25462 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 206612 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 19056 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 968 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 965 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment-0002.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 13676 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200728/e5f455d7/attachment-0003.jpe>

More information about the Enterprise mailing list