Red Hat Bugzilla – Bug 145500
GSSAPI / Kerberos authentication broken, Mozilla OK
Last modified: 2007-11-30 17:10:58 EST
Description of problem:
We have a Kerberos Realm and with FC3 the shipped Mozilla works fine
to access mod_auth_kerb protected web pages in seamless single-sign on
fashion with tickets.
With FireFox, on the same machine, it is unable to access the
protected web pages and gets a 401 error "authentication required" page.
Using "klist" to view tickets it can be seen that Mozilla properly
fetches a service ticket for the web server. With FireFox no such
service ticket is obtained.
$ rpm -q mozilla
$ rpm -q firefox
Supposedly GSSAPI support was added to FireFox in version 0.9 so it
From the Unofficial Changelog:
"Support for Kerberos HTTP authentication using GSSAPI (benefits
Unix-like platforms including Linux and OS X)."
$ ldd /usr/lib/firefox-1.0/components/libnegotiateauth.so | grep gssapi
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x003a5000)
try to set
to 'https://' (e.g. through 'about:config')
I meant to update this bug last week.
The addition of:
network.negotiate-auth.trusted-uris to 'https://'
Does indeed solve the problem.
This should added to the default "pref.js" file (or via some other
technique) so that this works out-of-the-box on Firefox as it does on
I thought this pref was left unset deliberately? Are you sure it's
set in the default Mozilla config?
$ locate prefs.js | xargs grep negotiate
is indeed blank for all shipped prefs.js in FC3.
Ah, ignore me, you are correct of course...
It was also defaulted on with the errata Mozilla shipped out to FC2 in
Sept/Oct 2004 timeframe.
The whitelist of trusted domains is now empty in both firefox and mozilla. You
need to manually add trusted domains. Reasons are outlined upstream.
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
Not a bug per comment 7.