My personal and professional life

2013-10-29

Enable negotiatable authentication in Firefox

Well, I've spend some time investigating this, so I decided to share. I have tired to set up NTLM authentication in Firefox by Googling the web, but what was bugging me was that it was not working, while with IE there was no problem at all. Most of the sites suggested setting network.automatic-ntlm-auth.trusted-uris and I've entered the internal sites there. Even tried to enable it for all sites by setting the value "http://,https://", but still no success.
Today, I decided it's about time I find the solution, so I started by refreshing my knowledge from the Internet. Normally, for the authentication the web server sends HTTP 401 Unauthorized (or Authorization Required) response, so I've started investigating the HTTP headers (with the help of Live HTTP Headers extension) and I noticed that after it Firefox actually sends nothing for the internal host names that I have already set up in network.automatic-ntlm-auth.trusted-uris. Strange? Yes, until at some point I noticed the following:
Authorization: Negotiate ...
So, the web server was actually negotiating authentication mechanism, instead of asking for NTLM directly, but Firefox wasn't negotiating. This made me think that something is missing and I searched about other keys related to authentication into about:config. Thus, I found network.negotiate-auth.trusted-uris and once I set the internal site host names into this value everything come into place - Firefox was already negotiating the authorization, which turned out to be Kerberos actually.
So whenever you setup automatic authentication for internal sites consider setting both network.automatic-ntlm-auth.trusted-uris and network.negotiate-auth.trusted-uris, so it works for you, even if the authentication mechanism is negotiable.

No comments: