Die Funktionalität dieser Website ist durch Wartungsarbeiten eingeschränkt, die Ihr Erlebnis verbessern sollen. Wenn ein Artikel Ihr Problem nicht löst und Sie eine Frage stellen möchten, können Sie unsere Gemeinschaft über @FirefoxSupport auf Twitter, /r/firefox oder Reddit fragen.

Hilfe durchsuchen

Vorsicht vor Support-Betrug: Wir fordern Sie niemals auf, eine Telefonnummer anzurufen, eine SMS an eine Telefonnummer zu senden oder persönliche Daten preiszugeben. Bitte melden Sie verdächtige Aktivitäten über die Funktion „Missbrauch melden“.

Weitere Informationen

Authentication not using Kerberos

more options

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication.

We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox.

Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication. We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox. Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

Alle Antworten (3)

more options

As the first step, you need to "whitelist" host names for those servers in Firefox's preferences. See: https://developer.mozilla.org/docs/Integrated_Authentication

There is also a discussion in this article: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

Interactively, you can make changes in about:config which results in changes to the current prefs.js file. For deployment/management, you usually would use an AutoConfig file.

more options

The configuration is not the problem. We have both the trusted and delegation uris configured. Kerberos works fine in Firefox against other hosts on the same network. Kerberos also works fine against this host in IE. The only issue is with this particular host and Firefox and as I said above the only difference I can determine is that this particular host uses Kernel Mode Authentication.

Also, when I watch on the server it does perform a preauth check as if it is going to do a Kerberos request but Firefox seems to fallback to NTLM when it does the actual authentication.

I need to figure out why Firefox is performing this fallback to NTLM.

more options

I didn't see anything in Bugzilla that seemed relevant to this (https://bugzilla.mozilla.org/), but I may not have used the right search terms.

If you don't find anything quickly, you may want to file a new bug so you can engage with the developers on tracing what's going on.

This bug fixed in Firefox 20 illustrates the kind of analysis you might participate in: #857291 – SPNEGO / MS KRB5 no longer working. Tries to use NTLM SSP instead.

I also saw a report that Firefox would fall back to NTLM on a non-standard port, but that doesn't sound relevant to your configuration: (#497057 – FireFox cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port]).

Geändert am von jscher2000 - Support Volunteer