ok so i've been doing webdev for about a week and the app i'm working on is a client-side vue app talking to a backend api.
There is very little information on the internet about the interaction between the client-side app and the browser on the handling of kerberos ticket generation. apparently once you've got got your headers/handshake all ok the browser just magically adds in the credentials to the request.
I've been through all the available info and RFC on this and i think i have the correct CORS settings, and the correct browser settings for the "magic" to happen.
I've also checked that:
- kinit was successful and i have a ticket-granting-ticket
- klist shows other tickets have been granted for AD-based SSO sites
- the URL i'm hitting has an SPN created in the AD hierarchy (and has worked ok for a different project)
still no magic
what i have found is that i could enable the spnego debug logs on firefox like this:
firefox --MOZ_LOG=negotiateauth:5 --MOZ_LOG_FILE=
which i can see a normal spnego handshake for other stuff..
but for my particular one i get this:
[Parent 105406: Main Thread]: D/negotiateauth nsHttpNegotiateAuth::ChallengeReceived URI blocked
which leads me here:
https://searchfox.org/mozilla-central/source/extensions/auth/nsHttpNegotiateAuth.cpp#176-178
with this code:
bool allowed =
TestNotInPBMode(authChannel, isProxyAuth) &&
(TestNonFqdn(uri) || mozilla::net::auth::URIMatchesPrefPattern(
uri, kNegotiateAuthTrustedURIs));
going through these
TestNotInPBMode- im not in private browsing modeTestNonFqdn- my URI requires a non-custom port 5698. but in any case i enablednetwork.negotiate-auth.allow-non-fqdnin firefox which should negate thisURIMatchesPrefPattern- this is probably where the problem is but i cant really see what's wrong with what i have entered - i used a wildcard based on my domain name e.g..domain.com
finally,... to try to get to the bottom of this i attempted to get a dev setup of firefox working and trace it,.. but i'm limited to rust 1.62 and so cant get the build scripts to run....