<div dir="ltr"><div>So it looks like this is a missing feature in Firefox.</div><div><br></div><div><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1179722">https://bugzilla.mozilla.org/show_bug.cgi?id=1179722</a></div><div><br></div><div>We're trying to locate what Chrome did to support it so we could possibly reuse that code.<br></div><div><br></div><div>Mike<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 29, 2020 at 7:01 AM Mickael CINIER/FGA/FR <<a href="mailto:mickael.cinier@fgvictimes.fr">mickael.cinier@fgvictimes.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><font size="2" face="sans-serif">Hello everyone,</font>
<br>
<br><font size="2" face="sans-serif">In my company I recently deployed Firefox
ESR 78.0.2, with an "oldschool" configuration style: we use a
few policies in policies.json, we set preferences in a centralized .cfg
file. No GPOs. </font>
<br>
<br><font size="2" face="sans-serif">I am asking for your help on a Firefox
SSO issue with ADFS, using Kerberos. This authentication method works great
with IE 11 and Chrome. My goal is to be able to perform Kerberos SSO without
having to modify the ADFS parameter "ExtendProtectionTokenCheck",
without using Forms Based Authentication, and without using the NTLM protocol.</font>
<br>
<br>
<br><font size="2" face="sans-serif">For this, countless hours of Internet
research seem to say that:</font>
<br><font size="2" face="sans-serif">- I need to have my user agent in the
ADFS parameter WIASupportedUserAgents --> Done. I've added "Mozilla5/0",
"Firefox" and "Firefox/78.0" to the existing list for
testing, then restarted the adfs service (only 1 server in the adfs farm).
The first one made Chrome SSO work.</font>
<br><font size="2" face="sans-serif"> </font><img src="cid:173a6752590c204bfcc1" style="border: 0px solid;">
<br>
<br><font size="2" face="sans-serif">- I need to put ".<a href="http://mydomain.fr" target="_blank">mydomain.fr</a>"
at least in the preference network.negotiate-auth.trusted-uris. For information,
my IDP is part of this domain, --> Done. I've also tried putting it
in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris.
I've tried to put more specific URIs. I've also tried to set network.negotiate-auth.allow-proxies,
network.automatic-ntlm-auth.allow-proxies, network.negotiate-auth.allow-non-fqdn,
network.automatic-ntlm-auth.allow-non-fqdn and signon.autologin.proxy to
true.</font>
<br>
<br>
<br><font size="2" face="sans-serif">I have also tried:</font>
<br><font size="2" face="sans-serif">- to mess with network.auth.use-sspi
and network.negotiate-auth.using-native-gsslib preferences</font>
<br>
<br><font size="2" face="sans-serif">- to override Firefox's default useragent
by setting the "general.useragent.override" to "Firefox"</font>
<br>
<br><font size="2" face="sans-serif">- to accept all cookies parameters I
could find</font>
<br>
<br><font size="2" face="sans-serif">Nothing works. During troubleshooting
(I used the SAML Tracer extension for Firefox) I noticed that Firefox is
first trying to negotiate authentication using Kerberos, then NTLM when
it fails. When failing, I either get an Error 500 (internal server error,
when network.auth.force-generic-ntlm is set to false) or 401 (unauthorized,
when network.auth.force-generic-ntlm is set to true).</font>
<br>
<br><img src="cid:173a6752591c204bfcc2" style="border: 0px solid;">
<br>
<br>
<br><font size="2" face="sans-serif">On the ADFS side, WIA is the only Intranet
authentication method, we do not want to enable FBA. For testing, if I
change the ExtendedProtectionTokenCheck parameter from "Allow"
to "None", SSO works but since it is a security parameter, we
do not want to do that.</font>
<br>
<br>
<br><font size="2" face="sans-serif">The question is: are there some uncommon
Firefox / ADFS parameters that could interfere with Firefox's Kerberos
authentication ? What are the best practices ?</font>
<br>
<br><font size="2" face="sans-serif">Best regards</font>
<br>
<table width="515px" border="0">
<tbody><tr><td><u></u>
</td></tr><tr>
<td width="85px" valign="middle">
<img src="cid:173a6752592c204bfcc3">
</td>
<td>
<font size="2" face="Trebuchet ms" color="black"><b>Mickael CINIER</b></font><br>
<font size="2" face="Trebuchet ms" color="grey"><i></i></font><br>
<img src="cid:173a6752592c204bfcc4">
<font size="2" face="Trebuchet ms" color="black"> 64 bis avenue Aubert 94300 VINCENNES</font><br>
<img src="cid:173a6752592c204bfcc5">
<font size="2" face="Trebuchet ms" color="black"> 01.73.73.56.05 - </font><br>
</td>
</tr>
</tbody></table>
<br>
<a>
<br>
<table>
<tbody><tr>
<td><a href="https://rapportdactivite.fondsdegarantie.fr/2018/" target="_blank"><img src="cid:173a6752592c204bfcc6" height="60"></a>
</td><td><font size="2" face="Arial" color="#424200"><b>Découvrez notre rapport annuel Fonds de garantie.</b></font><font size="1" face="Arial"><br>
</font><font size="1" face="Arial" color="#800080"><b><u><br>
</u></b></font><a href="https://rapportdactivite.fondsdegarantie.fr/2018/" target="_blank"><font size="1" face="Arial" color="#0060a0"><b>Voir
le rapport</b></font></a></td></tr></tbody></table>
<br>
<br>
</a><div><a>
</a><a href="http://www.fondsdegarantie.fr" target="_blank">Consultez notre site internet www.fondsdegarantie.fr</a>
<font size="1"><p>Ce courrier électronique et ses éventuelles pièces jointes, envoyés par le Fonds de garantie, sont établis à l'intention exclusive de leur destinataire. Ils sont confidentiels, couverts et protégés par le secret professionnel. Si vous n'êtes pas destinataire de ce message, il vous est strictement interdit de le garder, de le distribuer, de le faire suivre ou de le copier. Merci d'en avertir immédiatement l'expéditeur par un message en retour et de supprimer la transmission originale. Toute opinion exprimée dans ce message est personnelle à son auteur et ne saurait nécessairement refléter celle du Fonds de garantie. L'Internet ne permettant pas d'assurer l'intégrité de ce message, le Fonds de garantie décline toute responsabilité au titre de ce message, dans l'hypothèse où il aurait été modifié. La présence de cette note prouve également que ce message électronique a été vérifié par un logiciel antivirus.</p>
<hr>
<font size="1"><p>This e-mail and any attachment thereto, sent by Fonds de garantie, are intended solely for the addressee. It may contain privileged or confidential informations. If you are not the entended recipient, any retention, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the original transmission. Any opinion expressed in this message may be personal to the author and may not necessarily reflect the opinion of Fonds de garantie. As the Internet cannot guarantee the integrity of this message, Fonds de garantie will not therefore be liable for the message if modified. Presence of this message also proves that an antivirus program has checked this e-mail.</p>
</font></font></div>
_______________________________________________<br>
Enterprise mailing list<br>
<a href="mailto:Enterprise@mozilla.org" target="_blank">Enterprise@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a><br>
<br>
To unsubscribe from this list, please visit <a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a> or send an email to <a href="mailto:enterprise-request@mozilla.org" target="_blank">enterprise-request@mozilla.org</a> with a subject of "unsubscribe"<br>
</blockquote></div>