Transparent proxy auth

[CanadaDave]

My company uses Squid with NTML authentication. Under IE, this is done transparently, but with Firefox, the user needs to enter a username and password.

Yes - you can save the password entry, but every 30 days (our current password expiry period), it will stop working.

As the IT Manager of a 5 person team supporting 300 users, we can't afford to be chasing down password issues on a constant basis.

Are there any plans to put the transparent auth in Firefox? It's literally the only thing preventing us from rollout to our enterprise.

[mrkh]

(i.e. the way IE does it)


Ditto. My coworkers (and I) also live behind an NTLM proxy, and this is also the only thing that would stop them all converting.

They're technically literate, but they're the kind of people who only install patches when they're told to.

Having to enter username and password once per session is something that you don't have to do with IE, and hence is seen as negative extra effort - for what gain? Security isn't a tangible gain for people who only install patches when they're told. And they aren't familiar with the concept of geek-cred either. Yes, there is a very impressive feature list, but the appreciation of those features really only comes with use. You have to convert them before they can start using it!
</evangelize>

Is there a technical difficulty or policy reason as to why transparent NTLM auth hasn't been implemented on Win32?
Or has it just not been considered yet?

(I saw in the <A HREF=http://bugzilla.mozilla.org/show_bug.cgi?id=224653>bug/feature request comments</A> for the native NTLM implementation, that there was some "LanManager single signon" code that was dropped - this sounds like what we're talking about.)

Regards,
Ken

[darinwf]

> Is there a technical difficulty or policy reason as to why transparent NTLM auth hasn't been implemented on Win32?

Yes, the challenge is that it requires 1) that we use Microsoft's NTLM implementation (via SSPI), and 2) that we limit when we use it.

Challenges related to #1:
- Older Windows systems only support NTLMv1, which uses a weak password hashing algorithm that is easily cracked.
- A stronger form of NTLM can be negotiated but the client needs to have a newer SSPI implementation.
- Older versions of SSPI are buggy and sometimes crash Mozilla. We do not know why this happens.

Challenges related to #2:
- We do not want to silently send a NTLMv1 hash of your password to any server that requests it. We must limit automatic authentication to a "whitelist" of allowed sites. (This is obviously not an issue for proxy servers.) IE solves this problem via Security Zones, but there is no such concept in Mozilla.

Our plans:
- For Win32, support Negotiate (SPNEGO) and NTLM via SSPI when a site matches our whitelist of allowed sites.
- Require user prompting when visiting a site outside the whitelist.
- Disable SPNEGO when visiting a site outside the whitelist.
- Add UI to allow the user (or admin) to add sites to the whitelist.

Additionally:
- We may want to use our internal NTLM implementation instead of the SSPI NTLM when handling a user identity that was retrieved from a prompt. In such cases, we may want to ensure that the highest grade NTLM is used since it may be sent over the world-/wild/-web.

See bug 249942 for whitelist UI.
See bug 237586 for code that uses SSPI for SPNEGO (and not yet raw NTLM).

[Nitin]

Also see:
bug 231529 - slient NTLM
bug 223636 - slient basic auth
(I'm the reporter for second one, had troubles with my company intranet - its probably NTLM)

[Nitin]

per bug 231529, which has been fixed, I tried adding:
user_pref("network.automatic-ntlm-auth.trusted-uris", "http://myintranet/");
it still doesn't silently login.. any ideas?

[Nitin]

my bad.. I was not formatting it correctly (missed the comma)
"http://site1, http://site2"

It works! Thanks a ton, darin.

[shakti]

I have Firefox 1.0 (Win XP SP2) and I need it to automatically authenticate me instead of asking for password everytime.
Our setup have a squid (Squid/2.4.STABLE6) proxy requiring authentication at IP 192.xxx.yyy.zzz that machine is also the domain controller (SAMBA) and squid uses samba for authentication (same as domain User/Pass).
I have read other threads and set prefs to -

network.automatic-ntlm-auth.allow-proxies - true
network.automatic-ntlm-auth.trusted-uris - http://mydomainname.com
network.negotiate-auth.delegation-uris - http://mydomainname.com
network.negotiate-auth.trusted-uris - http://mydomainname.com

Where "mydomainname" is the name that appears on the Win XP logon screen.

[joroxx]

i've configured my FF1.0+ the same as everyone here in the thread but everytime i start FF it asks me to click on "OK" showing the username i supplied and the password (which of course is hidden).

how do i configure FF not to ask for it since it's the auth has already been supplied before?