Pesquisar no apoio

Evite burlas no apoio. Nunca iremos solicitar que telefone ou envie uma mensagem de texto para um número de telefone ou que partilhe informações pessoais. Por favor, reporte atividades suspeitas utilizando a opção "Reportar abuso".

Saber mais

ADFS SSO error 500 (Firefox ESR, ADFS 3.0, Kerberos, SAML)

  • 2 respostas
  • 1 tem este problema
  • 1 visualização
  • Última resposta por Mike Kaply

more options

Hello everyone,

It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works !

My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome.

What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS without setting the ExtendedProtectionTokenCheck parameter to "None".

After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs WIASupportedUserAgents (and restart ADFS service of course) -> makes chrome sso work, but not Firefox

- mess with those preferences: network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy

- changing my user agent by setting preference general.useragent.override to "Firefox"

- allow every cookies possible..

- troubleshoot http requests / response with SAML Tracer extensions for Firefox

When I get a blank page (typically when network.auth.force-generic-ntlm is at false, which is what I want), I get an error 500 (see screenshot)

When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters).

In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM.


I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris

Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ?

Best regards

Hello everyone, It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works ! My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome. What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS '''without''' setting the ''ExtendedProtectionTokenCheck'' parameter to "None". After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs ''WIASupportedUserAgents'' (and restart ADFS service of course) -> makes chrome sso work, but not Firefox - mess with those preferences: ''network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy'' - changing my user agent by setting preference ''general.useragent.override'' to "Firefox" - allow every cookies possible.. - troubleshoot http requests / response with ''SAML Tracer extensions for Firefox'' When I get a blank page (typically when ''network.auth.force-generic-ntlm'' is at ''false'', which is what I want), I get an error 500 (see screenshot) When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters). In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM. I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ? Best regards
Capturas de ecrã anexadas

Solução escolhida

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.

Ler esta resposta no contexto 👍 1

Todas as respostas (2)

more options

This sounds like something you might get a better response to by emailing our enterprise mailing list:

https://mail.mozilla.org/listinfo/enterprise

There are lots of folks there who deploy Firefox.

more options

Solução escolhida

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.