Cannot Access Enterprise Identity Management WebUI From Client After Updating to Mozilla Firefox 17

Solution Unverified - Updated

Environment

  • Red Hat Enterprise Linux 6.3
  • Enterprise Identity Management (IPA) 2.2
  • Mozilla Firefox 15 and newer

Issue

Firefox can use Kerberos credentials to authenticate to the IPA WebUI, but Kerberos negotiation needs to be configured to use the IPA domain. Changes made, with the release of Mozilla Firefox 17, do not allow for automatic configuration via the browser on RHEL6.3/IPA2.2 clients.

Resolution

In order to configure access to the IPA WebUI via Mozilla Firefox 17, we recommend upgrading to RHEL 6.4, which includes IPA 3.0. This process can be done by using yum update.

If updating to RHEL 6.4 and IPA 3.0 is not a viable option, Mozilla Firefox 17 can be manually updated using the following procedure:

1. Open Firefox.
2. Type about:config in the address bar.
3. In the Search field, type negotiate to filter out the Kerberos-related parameters.
4. On Red Hat Enterprise Linux, enter the domain name for the URI parameters, including the preceding period (.) and set the gsslib parameter to true:

network.negotiate-auth.trusted-uris  .example.com
network.negotiate-auth.using-native-gsslib true

On Windows, set the trusted URIs and library path, and disable the built-in Microsoft Kerberos for authentication:

network.negotiate-auth.trusted-uris .example.com
network.auth.use-sspi false 
network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll

On a 64-bit system, the library location is in C:\Program Files(x86)\MIT\Kerberos\bin\gssapi32.dll.
5. In the Search field, now type referer and ensure that the network.http.sendRefererHeader is set to a value of 2.
6. Open the WebUI by going to the fully-qualified domain name of the IPA server such as http://ipaserver.example.com. Make sure that you can open the WebUI and that there are no Kerberos authentication errors.
7. Download the IPA server's CA certificate from http://ipa.example.com/ipa/config/ca.crt.
8. Select the first (Trust this CA to identify web sites) and third (Trust this CA to identify software developers) check boxes.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.