Configuring Firefox for Negotiate Authentication

Before Firefox can authenticate to a server using "Negotiate" authentication, a couple of configuration changes must be made.

Type about:config into the location bar, to bring up the configuration page. Type negotiate into the Filter: box, to restrict the listing to the configuration options we're interested in. Default Negotiate settings in Firefox Change network.negotiate-auth.trusted-uris to the domain you want to authenticate against, in this case, .redhat.com. You can leave network.negotiate-auth.delegation-uris blank, as it enables Kerberos ticket passing, which is not required. If you do not see those two config options listed, your version of Firefox may be too old to support Negotiate authentication, and you should consider upgrading. Customized Negotiate settings in Firefox

Now, make sure you have Kerberos tickets. Typing kinit in a shell should allow you to retrieve Kerberos tickets. klist will show you what tickets you have. Example of kinit and klist usage

Now, if you visit a Kerberos-authenticated website in the .redhat.com domain, you should be logged in automatically, without having to type in your password.

Troubleshooting

If you have followed the configuration steps and Negotiate authentication is not working, you can turn on verbose logging of the authentication process, and potentially find the cause of the problem. First exit Firefox. In a shell, type the following commands: export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/tmp/moz.log Then restart Firefox from that shell, and visit the website you were unable to authenticate to earlier. Information will be logged to /tmp/moz.log, which may give a clue to the problem. For example: -1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache found means that you do not have Kerberos tickets, and need to run kinit.

If you are able to kinit successfully from your machine but you are unable to authenticate, and you see something like this in your log: -1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database it generally indicates a Kerberos configuration problem. Make sure you have the following in the [domain_realm] section of /etc/krb5.conf: .redhat.com = REDHAT.COM redhat.com = REDHAT.COM If nothing is showing up in the log it's possible that you're behind a proxy, and that proxy is stripping off the HTTP headers required for Negotiate authentication. As a workaround, you can try to connect to the server via https instead, which will allow the request to pass through unmodified. Then proceed to debug using the log, as described above.