[Mozilla Enterprise] Firefox ADFS 3.0 Kerberos SSO Best practices

Mike Kaply mkaply at mozilla.com
Fri Jul 31 19:59:53 UTC 2020 

So it looks like this is a missing feature in Firefox.

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

We're trying to locate what Chrome did to support it so we could possibly
reuse that code.

Mike

On Wed, Jul 29, 2020 at 7:01 AM Mickael CINIER/FGA/FR <
mickael.cinier at fgvictimes.fr> wrote:

> Hello everyone,
>
> In my company I recently deployed Firefox ESR 78.0.2, with an "oldschool"
> configuration style: we use a few policies in policies.json, we set
> preferences in a centralized .cfg file. No GPOs.
>
> I am asking for your help on a Firefox SSO issue with ADFS, using
> Kerberos. This authentication method works great with IE 11 and Chrome. My
> goal is to be able to perform Kerberos SSO without having to modify the
> ADFS parameter "ExtendProtectionTokenCheck", without using Forms Based
> Authentication, and without using the NTLM protocol.
>
>
> For this, countless hours of Internet research seem to say that:
> - I need to have my user agent in the ADFS parameter
> WIASupportedUserAgents  --> Done. I've added "Mozilla5/0", "Firefox" and
> "Firefox/78.0" to the existing list for testing, then restarted the adfs
> service (only 1 server in the adfs farm). The first one made Chrome SSO
> work.
>
>
> - I need to put ".mydomain.fr" at least in the preference
> network.negotiate-auth.trusted-uris. For information, my IDP is part of
> this domain, --> Done. I've also tried putting it in
> network.negotiate-auth.delegation-uris and
> network.automatic-ntlm-auth.trusted-uris. I've tried to put more specific
> URIs.  I've also tried to set network.negotiate-auth.allow-proxies,
> network.automatic-ntlm-auth.allow-proxies,
>  network.negotiate-auth.allow-non-fqdn,
> network.automatic-ntlm-auth.allow-non-fqdn and signon.autologin.proxy to
> true.
>
>
> I have also tried:
> - to mess with network.auth.use-sspi  and
> network.negotiate-auth.using-native-gsslib preferences
>
> - to override Firefox's default useragent by setting the
> "general.useragent.override" to "Firefox"
>
> - to accept all cookies parameters I could find
>
> Nothing works. During troubleshooting (I used the SAML Tracer extension
> for Firefox) I noticed that Firefox is first trying to negotiate
> authentication using Kerberos, then NTLM when it fails. When failing, I
> either get an Error 500 (internal server error, when
> network.auth.force-generic-ntlm is set to false) or 401 (unauthorized, when
> network.auth.force-generic-ntlm  is set to true).
>
>
>
>
> On the ADFS side, WIA is the only Intranet authentication method, we do
> not want to enable FBA. For testing, if I change the
> ExtendedProtectionTokenCheck parameter from "Allow" to "None", SSO works
> but since it is a security parameter, we do not want to do that.
>
>
> The question is: are there some uncommon Firefox / ADFS parameters that
> could interfere with Firefox's Kerberos authentication ? What are the best
> practices ?
>
> Best regards
> *Mickael CINIER*
>
> 64 bis avenue Aubert 94300 VINCENNES
> 01.73.73.56.05 -
>
>
> <https://rapportdactivite.fondsdegarantie.fr/2018/> *Découvrez notre
> rapport annuel Fonds de garantie.*
>
> *Voir le rapport* <https://rapportdactivite.fondsdegarantie.fr/2018/>
>
> Consultez notre site internet www.fondsdegarantie.fr
> <http://www.fondsdegarantie.fr>
>
> Ce courrier électronique et ses éventuelles pièces jointes, envoyés par le
> Fonds de garantie, sont établis à l'intention exclusive de leur
> destinataire. Ils sont confidentiels, couverts et protégés par le secret
> professionnel. Si vous n'êtes pas destinataire de ce message, il vous est
> strictement interdit de le garder, de le distribuer, de le faire suivre ou
> de le copier. Merci d'en avertir immédiatement l'expéditeur par un message
> en retour et de supprimer la transmission originale. Toute opinion exprimée
> dans ce message est personnelle à son auteur et ne saurait nécessairement
> refléter celle du Fonds de garantie. L'Internet ne permettant pas d'assurer
> l'intégrité de ce message, le Fonds de garantie décline toute
> responsabilité au titre de ce message, dans l'hypothèse où il aurait été
> modifié. La présence de cette note prouve également que ce message
> électronique a été vérifié par un logiciel antivirus.
> ------------------------------
>
> This e-mail and any attachment thereto, sent by Fonds de garantie, are
> intended solely for the addressee. It may contain privileged or
> confidential informations. If you are not the entended recipient, any
> retention, dissemination, distribution or copying of this message is
> strictly prohibited. If you have received this message in error, please
> notify the sender immediately by return e-mail and delete the original
> transmission. Any opinion expressed in this message may be personal to the
> author and may not necessarily reflect the opinion of Fonds de garantie. As
> the Internet cannot guarantee the integrity of this message, Fonds de
> garantie will not therefore be liable for the message if modified. Presence
> of this message also proves that an antivirus program has checked this
> e-mail.
> _______________________________________________
> Enterprise mailing list
> Enterprise at mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-request at mozilla.org with a subject of "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/gif
Size: 25462 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/gif
Size: 206612 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/jpeg
Size: 19056 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/jpeg
Size: 968 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment-0001.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/jpeg
Size: 965 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment-0002.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/jpeg
Size: 13676 bytes
Desc: not available
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200731/fc51fd6a/attachment-0003.jpe>

More information about the Enterprise mailing list