We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

ADFS SSO error 500 (Firefox ESR, ADFS 3.0, Kerberos, SAML)

  • 2 wotmołwje
  • 1 ma tutón problem
  • 1 napohlad
  • Poslednja wotmołwa wot Mike Kaply

more options

Hello everyone,

It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works !

My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome.

What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS without setting the ExtendedProtectionTokenCheck parameter to "None".

After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs WIASupportedUserAgents (and restart ADFS service of course) -> makes chrome sso work, but not Firefox

- mess with those preferences: network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy

- changing my user agent by setting preference general.useragent.override to "Firefox"

- allow every cookies possible..

- troubleshoot http requests / response with SAML Tracer extensions for Firefox

When I get a blank page (typically when network.auth.force-generic-ntlm is at false, which is what I want), I get an error 500 (see screenshot)

When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters).

In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM.


I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris

Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ?

Best regards

Hello everyone, It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works ! My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome. What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS '''without''' setting the ''ExtendedProtectionTokenCheck'' parameter to "None". After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs ''WIASupportedUserAgents'' (and restart ADFS service of course) -> makes chrome sso work, but not Firefox - mess with those preferences: ''network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy'' - changing my user agent by setting preference ''general.useragent.override'' to "Firefox" - allow every cookies possible.. - troubleshoot http requests / response with ''SAML Tracer extensions for Firefox'' When I get a blank page (typically when ''network.auth.force-generic-ntlm'' is at ''false'', which is what I want), I get an error 500 (see screenshot) When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters). In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM. I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ? Best regards
Připowěsnjene fota wobrazowki

Wubrane rozrisanje

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.

Tutu wotmołwu w konteksće čitać 👍 1

Wšě wotmołwy (2)

more options

This sounds like something you might get a better response to by emailing our enterprise mailing list:

https://mail.mozilla.org/listinfo/enterprise

There are lots of folks there who deploy Firefox.

more options

Wubrane rozrisanje

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.