Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Authentication not using Kerberos

more options

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication.

We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox.

Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

We have an issue internally using Firefox against an IIS server that is using Kernel Mode Authentication. When using IE kerberos authentication is properly used. However when we use FireFox the browser keeps falling back to NTLM authentication. We have talked to Microsoft and because this works in IE they believe it is a FireFox issue. We would like some help to determine why FireFox can't seems to use Kerberos with our server that is running Kernel Mode Authentication. We are not sure if Kernel Mode is what is causing issues but it seems to be the one difference between this service and others that properly use Kerberos in FireFox. Can you provide some support to help us figure out why FireFox is falling back to NTLM? We are unable to determine why this is happening in the browser.

Toutes les réponses (3)

more options

As the first step, you need to "whitelist" host names for those servers in Firefox's preferences. See: https://developer.mozilla.org/docs/Integrated_Authentication

There is also a discussion in this article: https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

Interactively, you can make changes in about:config which results in changes to the current prefs.js file. For deployment/management, you usually would use an AutoConfig file.

more options

The configuration is not the problem. We have both the trusted and delegation uris configured. Kerberos works fine in Firefox against other hosts on the same network. Kerberos also works fine against this host in IE. The only issue is with this particular host and Firefox and as I said above the only difference I can determine is that this particular host uses Kernel Mode Authentication.

Also, when I watch on the server it does perform a preauth check as if it is going to do a Kerberos request but Firefox seems to fallback to NTLM when it does the actual authentication.

I need to figure out why Firefox is performing this fallback to NTLM.

more options

I didn't see anything in Bugzilla that seemed relevant to this (https://bugzilla.mozilla.org/), but I may not have used the right search terms.

If you don't find anything quickly, you may want to file a new bug so you can engage with the developers on tracing what's going on.

This bug fixed in Firefox 20 illustrates the kind of analysis you might participate in: #857291 – SPNEGO / MS KRB5 no longer working. Tries to use NTLM SSP instead.

I also saw a report that Firefox would fall back to NTLM on a non-standard port, but that doesn't sound relevant to your configuration: (#497057 – FireFox cannot use the Kerberos authentication protocol to connect to a Web site that uses a non-standard port]).

Modifié le par jscher2000 - Support Volunteer