Plugin does not seem to display Kerberos round trips

[stephansann]

Hello

Thanks a lot for the very useful add-on.

Anyhow it does not seem to display Kerberos round trips. This is very confusing while trying to debug Kerberos authentications.

Using a proxy I found a request to an IWA protected resource was first rejected by the server with HTTP code 401 and then was delivered with HTTP code 200 after the Kerberos round trip.

The add-on window only gave me the second request/response. And even with this it omitted the "Authorization: Negotiate xxxxxxxxxxxx" header (which I found in the proxy).

Maybe Firefox hides this information from plugins, so it may not be the add-ons's fault...

And one more suggestion: The HTTP response code should IMHO be displayed together with the response headers, not above the request header.

Thanks and best regards Stephan

[Nitrama]

Can you explain that to me in more detail? Maybe even make a video what it looks like and how it should look like?

EDIT1:

And one more suggestion: The HTTP response code should IMHO be displayed together with the response headers, not above the request header.

The design was taken over by "Live HTTP Headers"

[Nitrama]

If the request from another plugin is unfortunately not possible to log on

[stephansann]

Unfortunately I can't provide a video, since it would reveal internal hostnames and information.

Anyhow I created three screenshots for you (with some blackings) which should demonstrate the problem - see below.

If you have any more questions please let me know.

[Nitrama]

I think I found the bug. I've already sent the new version to Firefox and Chrome. I ask for feedback if it works. :-)

[stephansann]

Hello again

I just updated to version 0.6.1 and tried again.

Unfortunately the situation has not changed. I still see only one log entry with the response-code of the second response and the headers of the first response.

Best regards Stephan

[Nitrama]

Okay, unfortunately I can not remember anything. I would need something where I can test it. Is there something ready?

[stephansann]

Hello again

Turns out the same is happening with Basic Authentication roundtrips (see below): It looks like a 200 response, but in the response headers you find the "WWW-Authenticate" header of the 401 response. Should be two log-entries.

I created a small Web Application (attached in ZIP archive), which you can deploy in any Servlet Container (Tomcat, Jetty, ...). If you don't know how to do that, let me know and I give you instructions.

After the deployment you can run the example by using the URL: http://localhost:8080/roundtrip-demo/roundtripDemo (given the fact your container is running on port 8080) in your Firefox and see the HTTP headers:

http://localhost:8080/roundtrip-demo/roundtripDemo GET HTTP/1.1 200 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1

WWW-Authenticate: Basic realm="Enter username 'user' and password 'pass'.", charset="UTF-8" Content-Length: 0 Date: Tue, 08 May 2018 06:56:30 GMT

Best regards Stephan

roundtrip-demo.zip

[Nitrama]

I hope it works like this :-) The new version has already been sent to Firefox and Chrome.

[stephansann]

Good news and bad news...

The Basic Authentication is logged as expected now (see screenshot below) :-)

The Kerberos Authentication still looks the same (see screenshots attached to my post five days ago).

I cannot provide you with an Web App like with the Basic Authentication for this, since for the Kerberos SSO to work you will need to set up the Windows environment. Maybe this resource will be a possible start, if you do not have such an environment already: http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html

[Nitrama]

I read in Kerberos for a while. I do not really feel like learning more. Do you have any really a simple guide for Windows 10?

[stephansann]

Well, Kerberos and simple are not going together very well I would say. To use Kerberos SSO within your Browser you need to set up a Kerberos Environment. If you do not have a Windows Server OS / Active Directory, I guess you could give Heimdal Kerberos for Windows a try: http://computing.help.inf.ed.ac.uk/kerberos-heimdal-windows To deal with the identities there is a tool "Network Identity Manager" by the same vendor: http://computing.help.inf.ed.ac.uk/kerberos-windows

The tutorials below these links look very straight-forward with a lot of screenshots. Good luck!

[Nitrama]

I can not get Kerberos to work with me. If somebody gives me a very simple tutorial for Windows 10. Can I try again? Or somebody gives me access to it.

Otherwise, I really can not do anything anymore.