Search code examples
google-chromefirefoxkerberosspnegonegotiate

Kerberos authorization doesn't work on Chrome and FireFox, but works on IE

I follow this guide to integrate cas with Windows AD.

It works fine on every browser few days ago. But not it only works on IE, when I use firefox browser only send "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" to server, then browser return to cas login page.

This problem only have been found on production environment recently. I have a test environment with same configuration, but it works fine until now.

I know when kerberos ticket is not cached on local, browser will send "Negotiate TlRMT...". But I can see ticket with klist command, and it works on IE means the ticket is ok.

I guess it's probably caused by some configuration of the windows client or ad server, could anyone give me some advice, tks!

"https://1056-app.test.com" have already add to "network.negotiate-auth.trusted-uris" on firefox. And I also tried to reinstall firefox, not works.

Chrome: 55

IE:11

FireFox:56

Clinet Browser OS:Windows 7

AD Server OS: Windows Server 2008 R2

Cas Server OS: Suse11Sp3

Here is the http dump on FireFox

GET https://1056-app.test.com/cas/login 401 Unauthorized

Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
WWW-Authenticate : Negotiate
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding

Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1




GET https://1056-app.test.com/cas/login 401 Unauthorized

Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding

Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
Authorization : Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

klist on client

Client: huangq @ SWI.TEST.NET
Server: HTTP/1056-app.test.com @ SWI.TEST.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 10/13/2017 12:52:34 (local)
End Time:   10/13/2017 22:11:01 (local)
Renew Time: 10/20/2017 12:11:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)

setspn -Q cmd on client

C:\Users\huangq>setspn -Q HTTP/1056-app.test.com
Checking domain DC=swi,DC=test,DC=net
CN=SOWSLdapA,OU=Service,OU=_Users,DC=swi,DC=test,DC=net
    HTTP/1056-app.test.com
Existing SPN found!

keytab create command

ktpass.exe /out D:\\1056-app.keytab /princ HTTP/[email protected] /pass xxx /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
Solution

  • The root cause has been found. Because we use cname for dns, and cname not match spn address.

    I use this command to open firefox negotiate debug log.link

    set NSPR_LOG_MODULES=negotiateauth:5
set NSPR_LOG_FILE=C://firefox.log
./firefox.exe

    firefox.log

    [Lazy Idle]: D/negotiateauth   Sending a token of length 9800
[Main Thread]: D/negotiateauth   service = 1056-app.test.com
[Main Thread]: D/negotiateauth   using negotiate-sspi
[Main Thread]: D/negotiateauth   nsAuthSSPI::Init
[Main Thread]: D/negotiateauth Using SPN of [HTTP/***-nginx-elb-***.eu-west-1.elb.amazonaws.com]

    Solution:

    1.Change DNS to A type

    2.Modify browser to disable kerberos cname lookup. Chrome link. Firefox not support.

    Reference:

    https://www.chromium.org/developers/design-documents/http-authentication