Revision 127081 of Integrated Authentication

  • Revision slug: Integrated_Authentication
  • Revision title: Integrated Authentication
  • Revision id: 127081
  • Created:
  • Creator: kohei.yoshino
  • Is current revision? No
  • Comment Migration (http://www.mozilla.org/projects/netlib/integrated-auth.html)
Tags: 

Revision Content

This document provides an overview of Mozilla's support for integrated authentication. This entails support for the the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) internet standard (RFC 2478) to negotiate either Kerberos, NTLM, or other authentication protocols supported by the operating system. SPNEGO is commonly referred to as the "negotiate" authentication protocol.

Mozilla does not have its own internal implementation of SPNEGO. Instead, it leverage system libraries that provide SPNEGO: SSPI on Microsoft Windows, and GSS-API on Linux, Mac OSX, and other UNIX-like systems.

The Mozilla implementation of SPNEGO can be found under {{ Source("extensions/auth/") }}

(it used to live in extensions/negotiateauth). Mozilla also supports raw NTLM authentication using an internal implementation (based on the <a href="http://davenport.sourceforge.net/ntlm.html">documentation</a> provided by Eric Glass) that supports NTLMv1/LMv1 and NTLM2 Session Key modes. As of Mozilla 1.7, there is no support for NTLMv2/LMv2. This is mainly due to the fact that NTLMSSP does not provide a means to negotiate use of NTLMv2/LMv2. <i>This document is incomplete ...</i>

Flow Diagram

The diagram below shows how various components interact.

Image:integrated-auth.png

Configuration

By default, Mozilla rejects all SPNEGO challenges from a web server. This is to protect the user from the possibility of DNS-spoofing being used to stage a man-in-the-middle exploit (see {{ Bug("17578") }} for more info). Moreover, with Windows clients NTLM may be negotiated as the authentication protocol. So, it is paramount that the browser does not freely exchange NTLM user credentials with any server that requests them. The NTLM response includes a hash of the user's logon credentials. On older versions of Windows this hash is computed using a relatively weak algorithm (see Hertel for more info on NTLM authentication).

Mozilla currently supports a whitelist of sites that are permitted to engage in SPNEGO authentication with the browser. This list is intended to be configured by an IT department prior to distributing Mozilla to end-users.

The preferences are:

pref("network.negotiate-auth.trusted-uris", <em>site-list</em>);
pref("network.negotiate-auth.delegation-uris", <em>site-list</em>);

where, site-list is a comma-separated list of URL prefixes or domains of the form:

<em>site-list</em> = "mydomain.com, https://myotherdomain.com"

network.negotiate-auth.trusted-uris lists the sites that are permitted to engage in SPNEGO authentication with the browser, and network.negotiate-auth.delegation-uris lists the sites for which the browser may delegate user authorization to the server.

Original Document Information

  • Author(s): Darin Fisher
  • Last Updated Date: December 27, 2005
  • Copyright Information: Portions of this content are © 1998–2007 by individual mozilla.org contributors; content available under a Creative Commons license | Details.

Revision Source

<p>This document provides an overview of Mozilla's support for integrated authentication. This entails support for the the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) internet standard (<a class="external" href="http://www.ietf.org/rfc/rfc2478.txt"></a><a class="external" href="http://tools.ietf.org/html/rfc2478" title="http://tools.ietf.org/html/rfc2478">RFC 2478</a>) to negotiate either Kerberos, NTLM, or other authentication protocols supported by the operating system. SPNEGO is commonly referred to as the "negotiate" authentication protocol.
</p><p>Mozilla does not have its own internal implementation of SPNEGO. Instead, it leverage system libraries that provide SPNEGO: SSPI on Microsoft Windows, and GSS-API on Linux, Mac OSX, and other UNIX-like systems.
</p><p>The Mozilla implementation of SPNEGO can be found under {{ Source("extensions/auth/") }}
</p><p>(it used to live in extensions/negotiateauth).
<span class="comment">Mozilla also supports raw NTLM authentication using an internal implementation (based on the &lt;a href="<a class=" external" href="http://davenport.sourceforge.net/ntlm.html" rel="freelink">http://davenport.sourceforge.net/ntlm.html</a>"&gt;documentation&lt;/a&gt; provided by Eric Glass) that supports NTLMv1/LMv1 and NTLM2 Session Key modes. As of Mozilla 1.7, there is no support for NTLMv2/LMv2. This is mainly due to the fact that NTLMSSP does not provide a means to negotiate use of NTLMv2/LMv2. &lt;i&gt;This document is incomplete ...&lt;/i&gt;</span>
</p>
<h3 name="Flow_Diagram"> Flow Diagram </h3>
<p>The diagram below shows how various components interact.
</p><p><img alt="Image:integrated-auth.png" fileid="735" src="File:en/Media_Gallery/Integrated-auth.png">
</p>
<h3 name="Configuration"> Configuration </h3>
<p>By default, Mozilla rejects all SPNEGO challenges from a web server. This is to protect the user from the possibility of DNS-spoofing being used to stage a man-in-the-middle exploit (see {{ Bug("17578") }} for more info). Moreover, with Windows clients NTLM may be negotiated as the authentication protocol. So, it is paramount that the browser does not freely exchange NTLM user credentials with any server that requests them. The NTLM response includes a hash of the user's logon credentials. On older versions of Windows this hash is computed using a relatively weak algorithm (see <a class="external" href="http://ubiqx.org/cifs/SMB.html#SMB.8">Hertel</a> for more info on NTLM authentication).
</p><p>Mozilla currently supports a whitelist of sites that are permitted to engage in SPNEGO authentication with the browser. This list is intended to be configured by an IT department prior to distributing Mozilla to end-users.
</p><p>The preferences are:
</p>
<pre>pref("network.negotiate-auth.trusted-uris", &lt;em&gt;site-list&lt;/em&gt;);
pref("network.negotiate-auth.delegation-uris", &lt;em&gt;site-list&lt;/em&gt;);
</pre>
<p>where, <em>site-list</em> is a comma-separated list of URL prefixes or domains of the form:
</p>
<pre>&lt;em&gt;site-list&lt;/em&gt; = "mydomain.com, https://myotherdomain.com"
</pre>
<p><code>network.negotiate-auth.trusted-uris</code> lists the sites that are permitted to engage in SPNEGO authentication with the browser, and <code>network.negotiate-auth.delegation-uris</code> lists the sites for which the browser may delegate user authorization to the server.
</p>
<div class="originaldocinfo">
<h2 name="Original_Document_Information"> Original Document Information </h2>
<ul><li> Author(s): <a class="link-mailto" href="mailto:darin@meer.net">Darin Fisher</a>
</li><li> Last Updated Date: December 27, 2005
</li><li> Copyright Information: Portions of this content are © 1998–2007 by individual mozilla.org contributors; content available under a Creative Commons license | <a class="external" href="http://www.mozilla.org/foundation/licensing/website-content.html">Details</a>.
</li></ul>
</div>
Revert to this revision