LDAP Problem with firefox

C

CJM

I have a number of applications that use a particular technique to
authenticate users using IWA and LDAP.

These are for intranet application where the users all use IE6, however I'm
trying to debug some javascript code and I find that easier to do with FF.
However my applications that use this authentication technique have problems
when running through FF.

I get an 'error '80072020' authuser.asp, line 20', which point to an LDAP
call:

Sub AuthUser()
Set oADSysInfo = CreateObject("ADSystemInfo")
Set oCurrentUser = GetObject("LDAP://" & oADSysInfo.UserName)
'<==== error
etc...
End Sub

When I run this apps via FF I need to manually authenticate (ie type in
domain name\username & password) since true IWA is not supported. I assume
the fact that FF doesnt handle IWA is at the centre of the issue, but I
don't know exactly what the problem is, nor if/how I can solve it.

Any ideas?

Thanks

CJM
 
A

Anthony Jones

CJM said:
I have a number of applications that use a particular technique to
authenticate users using IWA and LDAP.

These are for intranet application where the users all use IE6, however I'm
trying to debug some javascript code and I find that easier to do with FF.
However my applications that use this authentication technique have problems
when running through FF.

I get an 'error '80072020' authuser.asp, line 20', which point to an LDAP
call:

Sub AuthUser()
Set oADSysInfo = CreateObject("ADSystemInfo")
Set oCurrentUser = GetObject("LDAP://" & oADSysInfo.UserName)
'<==== error
etc...
End Sub

When I run this apps via FF I need to manually authenticate (ie type in
domain name\username & password) since true IWA is not supported. I assume
the fact that FF doesnt handle IWA is at the centre of the issue, but I
don't know exactly what the problem is, nor if/how I can solve it.

Any ideas?

add the DNS name you are using to access the server to the following setting
in about:config on FF:-

network.automatic-ntlm-auth.trusted-uris

Now FF will automatically attempt NTML authentication with the server just
as IE does with things in the Local Intranet zone.
 
C

CJM

Anthony Jones said:
add the DNS name you are using to access the server to the following
setting
in about:config on FF:-

network.automatic-ntlm-auth.trusted-uris

Now FF will automatically attempt NTML authentication with the server just
as IE does with things in the Local Intranet zone.

Anthony,

Thanks for the response, but I'm afraid your suggestion didnt work (I get
the same error). Any further ideas?

Chris
 
A

Anthony Jones

CJM said:
Anthony,

Thanks for the response, but I'm afraid your suggestion didnt work (I get
the same error). Any further ideas?

Chris

Have tried some response writes of the server variables AUTH_USER and
LOGON_USER just to confirm what user security token the request is running
under?

The page in question does not allow anonymous or other types of
authentication just IWA right?

Note that FF by default uses more connections per server than IE does. It
is connections that are authenticated so this could have a bearing.

It might be worth using Fiddler to compare the exchanges that IE makes with
the server with the ones FF makes.

Anthony.
 
T

Tristan Kington [MSFT]

Anthony Jones said:
Have tried some response writes of the server variables AUTH_USER and
LOGON_USER just to confirm what user security token the request is running
under?

The page in question does not allow anonymous or other types of
authentication just IWA right?

Note that FF by default uses more connections per server than IE does. It
is connections that are authenticated so this could have a bearing.

It might be worth using Fiddler to compare the exchanges that IE makes
with
the server with the ones FF makes.

Anthony.

Fiddler (or Netmon) sounds like a good way to go with this.

If the server is set up for kerberos delegation, you might find that the
core problem is a difference in authentication headers between IE and FF. IE
will try Negotiate, I'm afraid I don't know much about FF.

NTLM authentication doesn't provide a delegable (eg, good for two hops)
credential, but Basic usually does (depending on the LogonMethod metabase
property) - you might consider stepping down to Basic to get FF working (and
use SSL to protect the credential transfer).

--
This posting is provided "AS IS" with no warranties, and confers no rights.

TristanK
http://blogs.technet.com/tristank/
--
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top