Pretraži podršku

Izbjegni prevare podrške. Nikad te nećemo tražiti da nas nazoveš, da nam pošalješ telefonski broj ili da podijeliš osobne podatke. Prijavi sumnjive radnje pomoću opcije „Prijavi zlouporabu”.

Saznaj više

ADFS SSO error 500 (Firefox ESR, ADFS 3.0, Kerberos, SAML)

  • 2 odgovora
  • 1 ima ovaj problem
  • 214 prikaza
  • Posljednji odgovor od Mike Kaply

more options

Hello everyone,

It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works !

My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome.

What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS without setting the ExtendedProtectionTokenCheck parameter to "None".

After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs WIASupportedUserAgents (and restart ADFS service of course) -> makes chrome sso work, but not Firefox

- mess with those preferences: network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy

- changing my user agent by setting preference general.useragent.override to "Firefox"

- allow every cookies possible..

- troubleshoot http requests / response with SAML Tracer extensions for Firefox

When I get a blank page (typically when network.auth.force-generic-ntlm is at false, which is what I want), I get an error 500 (see screenshot)

When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters).

In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM.


I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris

Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ?

Best regards

Hello everyone, It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works ! My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome. What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS '''without''' setting the ''ExtendedProtectionTokenCheck'' parameter to "None". After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs ''WIASupportedUserAgents'' (and restart ADFS service of course) -> makes chrome sso work, but not Firefox - mess with those preferences: ''network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy'' - changing my user agent by setting preference ''general.useragent.override'' to "Firefox" - allow every cookies possible.. - troubleshoot http requests / response with ''SAML Tracer extensions for Firefox'' When I get a blank page (typically when ''network.auth.force-generic-ntlm'' is at ''false'', which is what I want), I get an error 500 (see screenshot) When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters). In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM. I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ? Best regards
Priložene slike ekrana

Izabrano rješenje

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.

Pročitaj ovaj odgovor u kontekstu 👍 1

Svi odgovori (2)

more options

This sounds like something you might get a better response to by emailing our enterprise mailing list:

https://mail.mozilla.org/listinfo/enterprise

There are lots of folks there who deploy Firefox.

more options

Odabrano rješenje

This appears to be a feature Firefox doesn't support.

See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1179722

I'm seeing if we can get it looked at.