Firefox on Linux/UNIX and mutual authentication

Wyllys Ingersoll wyllys.ingersoll at
Tue Feb 1 16:28:52 EST 2005

Frank Balluffi wrote:

>My investigation shows that Firefox on Windows (which uses Microsoft SSPI) 
>sends RFC 2478 SPNEGO tokens with the mutual-required flag on and Firefox 
>on Linux/UNIX (which uses GSSAPI) sends RFC 1964 Kerberos tokens with the 
>mutual-required flag off.
>Can anyone think of a reason why Firefox on Linux/UNIX should not set the 
>mutual-required flag on? Thanks.

Because the HTTP protocol does not support the use of mutual authentication.

Microsoft "broke" the HTTP standard in order to support mutual auth by 
extra data to the "200 OK" response that the IIS server returns after it 
the client's Kerberos creds (SSPI).   The Mozilla developers did not 
want to pollute
the core HTTP protocol engine with special case code to handle the extra 
data that
might be associated with a mutual-auth GSSAPI response, so they chose to 
ignore it.

Because mutual auth is not possible at this time, it is strongly 
recommended that
any Linux/Apache installation that implements GSSAPI authentication 
(e.g. mod_auth_kerb)
also use SSL to encrypt the authentication exchange.   The default 
settings in
Firefox/Mozilla are to only respond to the "Negotiate" request when the 
URL is
"https", though this can be overridden by the user.


More information about the Kerberos mailing list