RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 859968 - IPA browser configuration won't work on Firefox >= 15
Summary: IPA browser configuration won't work on Firefox >= 15
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 872085
TreeView+ depends on / blocked
 
Reported: 2012-09-24 14:13 UTC by Dmitri Pal
Modified: 2013-02-21 09:19 UTC (History)
4 users (show)

Fixed In Version: ipa-3.0.0-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: Firefox of version 15 or newer does not allow signed JavaScript jars to gain escalated privileges allowing then to for example change browser configuration. Consequence: Identity Management browser auto-configuration signed .jar will to configure the browser to be able to access Web UI via Kerberos authentication. This affects all Firefox browsers of version 15 or newer. Fix: Identity Management is now deployed with own Firefox extension capable of configuring the browser for Kerberos authentication. Result: Firefox users of all supported browser versions can take advantage of browser auto-configuration and authenticate via Kerberos.
Clone Of:
Environment:
Last Closed: 2013-02-21 09:19:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
browser configuation page works (230.95 KB, image/png)
2013-01-28 17:58 UTC, Xiyang Dong 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 0 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Dmitri Pal 2012-09-24 14:13:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3094

netscape.security.PrivilegeManager.enablePrivilege() call was deprecated in Firefox 15 and can't be used.

It completely breaks IPA browser configuration in signed .jar file. (https://test.example.com/ipa/config/browserconfig.html).

FF team recommends to make FF extension for any code which uses privileged code.

https://bugzilla.mozilla.org/show_bug.cgi?id=546848
https://bugzilla.mozilla.org/show_bug.cgi?id=757046

I think making FF extension just for configuring kerberos auth for one site is bad. I propose to give priority to ticket #823

We can offer configuration steps for: FF <= 14, FF >= 15, IE and Chrome. For FF <= 14 I would keep the configure.jar method.
Comment 2 Namita Soman 2012-10-01 17:05:28 UTC 
I can run the UI on FF15. So please provide steps to recreate the issue described here.
Comment 3 Martin Kosek 2012-10-02 07:20:50 UTC 
(In reply to comment #2)
> I can run the UI on FF15. So please provide steps to recreate the issue
> described here.

But can you authenticate with your Kerberos ticket? Authentication via user+password is not affected with this issue.
Comment 4 Petr Vobornik 2012-10-02 10:46:17 UTC 
In https://<ipa server>/config/browserconfig.html there is the 'configure browser' button. In FF 15 it doesn't do anything (from user perspective). There is an error in web console (Ctrl+Shift+K), but user can't see it. 

The outcome is that we can't configure automatically FF config options like network.negotiate-auth.trusted-uris and therefore, as Martin wrote, SSO doesn't work (if not configured manually).
Comment 5 Rob Crittenden 2012-10-05 15:58:50 UTC 
Fixed upstream.

This provides a new Firefox extension for 15+. Older browsers will rely on the signed javascript file.

master:
696fce5c8d4e480c6a731686c8952a4e7ace575f
247a3a43b7fb9eac9af9497e61cdc9c964bee4ff
206b6ca04b0e06b3bebf34d985f5310489fd7aac
b4e19509c034942a4f6bc99c371774a0944b65eb
4e72bc7fc8e8cc677d67919cde70eb1df47f1d81

ipa-3-0:
1212e867986aca1f030433f9f40908361629198c
e13a88a2e59a6cdee806fdc4a619a22bba9c3f35
2ba1fb5f87875a8793aad35224cb24d3b89f9883
8b9d0e1160683f0a759c5818f0aab8c2c18bf802 
f9bafb2958c3ea1e60856f21a28776026de2b305
Comment 8 Xiyang Dong 2013-01-28 17:58:05 UTC 
Created attachment 689183 [details]
browser configuation page works

verified in firefox ESR 10.0.10,which corresponds with Firefox 16.0.2
Comment 10 errata-xmlrpc 2013-02-21 09:19:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.