为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

ADFS SSO error 500 (Firefox ESR, ADFS 3.0, Kerberos, SAML)

  • 2 个回答
  • 1 人有此问题
  • 1 次查看
  • 最后回复者为 Mike Kaply

more options

Hello everyone,

It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works !

My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome.

What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS without setting the ExtendedProtectionTokenCheck parameter to "None".

After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs WIASupportedUserAgents (and restart ADFS service of course) -> makes chrome sso work, but not Firefox

- mess with those preferences: network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy

- changing my user agent by setting preference general.useragent.override to "Firefox"

- allow every cookies possible..

- troubleshoot http requests / response with SAML Tracer extensions for Firefox

When I get a blank page (typically when network.auth.force-generic-ntlm is at false, which is what I want), I get an error 500 (see screenshot)

When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters).

In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM.


I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris

Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ?

Best regards

Hello everyone, It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works ! My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome. What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS '''without''' setting the ''ExtendedProtectionTokenCheck'' parameter to "None". After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs ''WIASupportedUserAgents'' (and restart ADFS service of course) -> makes chrome sso work, but not Firefox - mess with those preferences: ''network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy'' - changing my user agent by setting preference ''general.useragent.override'' to "Firefox" - allow every cookies possible.. - troubleshoot http requests / response with ''SAML Tracer extensions for Firefox'' When I get a blank page (typically when ''network.auth.force-generic-ntlm'' is at ''false'', which is what I want), I get an error 500 (see screenshot) When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters). In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM. I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ? Best regards
已附加屏幕截图

被采纳的解决方案

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.

定位到答案原位置 👍 1

所有回复 (2)

more options

This sounds like something you might get a better response to by emailing our enterprise mailing list:

https://mail.mozilla.org/listinfo/enterprise

There are lots of folks there who deploy Firefox.

more options

选择的解决方案

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.