Sykje yn Support

Mij stipescams. Wy sille jo nea freegje in telefoannûmer te beljen, der in sms nei ta te stjoeren of persoanlike gegevens te dielen. Meld fertochte aktiviteit mei de opsje ‘Misbrûk melde’.

Mear ynfo

Dizze konversaasje is argivearre. Stel in nije fraach as jo help nedich hawwe.

ADFS SSO error 500 (Firefox ESR, ADFS 3.0, Kerberos, SAML)

  • 2 antwurd
  • 1 hat dit probleem
  • 1 werjefte
  • Lêste antwurd fan Mike Kaply

more options

Hello everyone,

It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works !

My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome.

What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS without setting the ExtendedProtectionTokenCheck parameter to "None".

After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs WIASupportedUserAgents (and restart ADFS service of course) -> makes chrome sso work, but not Firefox

- mess with those preferences: network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy

- changing my user agent by setting preference general.useragent.override to "Firefox"

- allow every cookies possible..

- troubleshoot http requests / response with SAML Tracer extensions for Firefox

When I get a blank page (typically when network.auth.force-generic-ntlm is at false, which is what I want), I get an error 500 (see screenshot)

When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters).

In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM.


I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris

Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ?

Best regards

Hello everyone, It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works ! My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome. What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS '''without''' setting the ''ExtendedProtectionTokenCheck'' parameter to "None". After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs ''WIASupportedUserAgents'' (and restart ADFS service of course) -> makes chrome sso work, but not Firefox - mess with those preferences: ''network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy'' - changing my user agent by setting preference ''general.useragent.override'' to "Firefox" - allow every cookies possible.. - troubleshoot http requests / response with ''SAML Tracer extensions for Firefox'' When I get a blank page (typically when ''network.auth.force-generic-ntlm'' is at ''false'', which is what I want), I get an error 500 (see screenshot) When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters). In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM. I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ? Best regards
Keppele skermôfbyldingen

Keazen oplossing

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.

Dit antwurd yn kontekst lêze 👍 1

Alle antwurden (2)

more options

This sounds like something you might get a better response to by emailing our enterprise mailing list:

https://mail.mozilla.org/listinfo/enterprise

There are lots of folks there who deploy Firefox.

more options

Keazen oplossing

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.