Kerberos authorization doesn't work on Chrome and FireFox, but works on IE

Question

I follow this guide to integrate cas with Windows AD.

It works fine on every browser few days ago. But not it only works on IE, when I use firefox browser only send "Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" to server, then browser return to cas login page.

This problem only have been found on production environment recently. I have a test environment with same configuration, but it works fine until now.

I know when kerberos ticket is not cached on local, browser will send "Negotiate TlRMT...". But I can see ticket with klist command, and it works on IE means the ticket is ok.

I guess it's probably caused by some configuration of the windows client or ad server, could anyone give me some advice, tks!

"https://1056-app.test.com" have already add to "network.negotiate-auth.trusted-uris" on firefox. And I also tried to reinstall firefox, not works.

Chrome: 55

IE:11

FireFox:56

Clinet Browser OS:Windows 7

AD Server OS: Windows Server 2008 R2

Cas Server OS: Suse11Sp3

Here is the http dump on FireFox

GET https://1056-app.test.com/cas/login 401 Unauthorized

Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
WWW-Authenticate : Negotiate
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding

Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1




GET https://1056-app.test.com/cas/login 401 Unauthorized

Response Headers
Server : nginx/1.8.0
Date : Fri, 13 Oct 2017 10:38:08 GMT
Content-Type : text/html;charset=UTF-8
Transfer-Encoding : chunked
Connection : keep-alive
Pragma : no-cache
Expires : Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control : no-cache
Content-Language : en-US
Content-Encoding : gzip
Vary : Accept-Encoding

Request Headers
Host : 1056-app.test.com
User-Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language : en-US,en;q=0.5
Accept-Encoding : gzip, deflate, br
Cookie : JSESSIONID=EE40B3C3FAFB30D13F45DC612E4D383ECC95916DBE12BEDDE21E9D933893964A4EB867271389530BC8A4B6E9B485E944B952
Connection : keep-alive
Upgrade-Insecure-Requests : 1
Authorization : Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

klist on client

Client: huangq @ SWI.TEST.NET
Server: HTTP/1056-app.test.com @ SWI.TEST.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 10/13/2017 12:52:34 (local)
End Time:   10/13/2017 22:11:01 (local)
Renew Time: 10/20/2017 12:11:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)

setspn -Q cmd on client

C:\Users\huangq>setspn -Q HTTP/1056-app.test.com
Checking domain DC=swi,DC=test,DC=net
CN=SOWSLdapA,OU=Service,OU=_Users,DC=swi,DC=test,DC=net
    HTTP/1056-app.test.com
Existing SPN found!

keytab create command

ktpass.exe /out D:\\1056-app.keytab /princ HTTP/1056-app.test.com@SWI.TEST.NET /pass xxx /mapuser SOWSLdapA@swi.test.net /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

You failed to mention your version of Windows AD, and the type of OS that CAS is running on. — T-Heron, Oct 14 '17 at 04:18
Run the following command, and please paste back the full results: *setspn -Q HTTP/1056-app.test.com* — T-Heron, Oct 15 '17 at 00:43
Got to the Account tab on the SOWSLdapA account. Scroll down to the bottom of that tab, and check the boxes for both AES128 and AES256 and then try it again. — T-Heron, Oct 16 '17 at 11:32
This is our production environment, I can't make this change online. But I have tried on my test environment(same configuration), cas server throws an exception "KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96" — zhufeizzz, Oct 17 '17 at 01:11
Is there anyway to debug on client side? I want to make sure why Chrome and FireFox choose to return ntlm header. — zhufeizzz, Oct 17 '17 at 01:14
You can use Fiddler to debug on the client side. Can you post your keytab creation syntax? You can make it an edit to your question. — T-Heron, Oct 17 '17 at 01:28
You're getting the "KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96" error b/c you didn't place AES256-SHA1 encryption support into the keytab. You need to re-create the keytab with that support. See my example how to do that here: https://social.technet.microsoft.com/wiki/contents/articles/36470.kerberos-keytabs-explained.aspx — T-Heron, Oct 17 '17 at 02:07
Sorry, forget to say it works fine on chrome and firefox fews days ago. And it also works fine on my test environment. So I think encryption support is not the root cause. — zhufeizzz, Oct 17 '17 at 02:11
The subject line of this problem says "Kerberos authorization doesn't work on Chrome and FireFox, but works on IE"...so I'm confused when you say "it works fine on chrome and firefox fews days ago". Can you clarify? — T-Heron, Oct 17 '17 at 02:24
In my test environment, it always works fine on every browser until now. In production environment, it worked fine on every browser few days before, but now it works only on IE, maybe someone have changed some configuration recently — zhufeizzz, Oct 17 '17 at 02:34

score 4 · Accepted Answer · edited Apr 16 '18 at 08:49

The root cause has been found. Because we use cname for dns, and cname not match spn address.

I use this command to open firefox negotiate debug log.link

set NSPR_LOG_MODULES=negotiateauth:5
set NSPR_LOG_FILE=C://firefox.log
./firefox.exe

firefox.log

[Lazy Idle]: D/negotiateauth   Sending a token of length 9800
[Main Thread]: D/negotiateauth   service = 1056-app.test.com
[Main Thread]: D/negotiateauth   using negotiate-sspi
[Main Thread]: D/negotiateauth   nsAuthSSPI::Init
[Main Thread]: D/negotiateauth Using SPN of [HTTP/***-nginx-elb-***.eu-west-1.elb.amazonaws.com]

Solution：

1.Change DNS to A type

2.Modify browser to disable kerberos cname lookup. Chrome link. Firefox not support.

Reference:

https://www.chromium.org/developers/design-documents/http-authentication

Since this answer is still among the top results on Google when searching for "Firefox Kerberos", I may add this for you, **Linux users**: The **snap** version of Firefox does not work with Kerberos! Check out this guide to install the **apt** version of Firefox, which also works for Ubuntu 22.10: [How to install Firefox with apt](https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04) — fips, Nov 10 '22 at 12:39

Kerberos authorization doesn't work on Chrome and FireFox, but works on IE

1 Answers1