ADFS SSO error 500 (Firefox ESR, ADFS 3.0, Kerberos, SAML)
Hello everyone,
It is my first time here. I am asking for your help on something that has been bugging me for a week: I have recently deployed Firefox ESR 78.0.2 in my company after spending months studying about configuration files, policies file, UEV etc. and it works !
My problem now is about SSO with ADFS 3.0: no matter what I try, I either get a blank page or a Forms Based Authentication prompt when accessing a site that is configured for adfs sso and works seamlessly with IE 11 and Chrome.
What I want to achieve: SSO authentication using Kerberos (not NTLM) against ADFS without setting the ExtendedProtectionTokenCheck parameter to "None".
After countless research on the Internet, here's what I tried: - add "Mozilla5/0" "Firefox" and "Firefox/78.0" to the adfs WIASupportedUserAgents (and restart ADFS service of course) -> makes chrome sso work, but not Firefox
- mess with those preferences: network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris / network.negotiate-auth.allow-proxies / network.negotiate-auth.allow-non-fqdn / network.negotiate-auth.using-native-gsslib / network.auth.use-sspi / network.automatic-ntlm-auth.trusted-uris / network.automatic-ntlm-auth.allow-proxies / network.automatic-ntlm-auth.allow-non-fqdn / network.auth.force-generic-ntlm / signon.autologin.proxy
- changing my user agent by setting preference general.useragent.override to "Firefox"
- allow every cookies possible..
- troubleshoot http requests / response with SAML Tracer extensions for Firefox
When I get a blank page (typically when network.auth.force-generic-ntlm is at false, which is what I want), I get an error 500 (see screenshot)
When I get a Forms Based Authentication prompt, I get an error 401 Unauthorized (which I think is normal since FBA is not set up in ADFS parameters).
In both case I can see that Firefox is atleast trying to negociate authentication first with Kerberos, then with NTLM.
I am frustrated because I see many posts where people resolved their issues only messing with the ADFS WIASupportedUserAgents parameter and the FF prefs network.negotiate-auth.trusted-uris / network.negotiate-auth.delegation-uris
Of course, if I disable the ADFS "ExtendedProtectionTokenCheck" for testing, everything works. Does anyone know if there is something else that can interfere with Firefox's SSO ? Could it be another FF preference ? Or maybe my ADFS is misconfigured for what I want ?
Best regards
Solução escolhida
This appears to be a feature Firefox doesn't support.
See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1179722
I'm seeing if we can get it looked at.
Ler esta resposta 👍 1Todas as respostas (2)
This sounds like something you might get a better response to by emailing our enterprise mailing list:
https://mail.mozilla.org/listinfo/enterprise
There are lots of folks there who deploy Firefox.
Solução escolhida
This appears to be a feature Firefox doesn't support.
See:
https://bugzilla.mozilla.org/show_bug.cgi?id=1179722
I'm seeing if we can get it looked at.