Integrated Windows Authentication with IIS, Firefox and SQL Server

Question

Hi,

I have a web site running on IIS on my localhost. This web site has directory security set to only allow Integrated Windows Authentication. It is part of an intranet and needs to authenticate by our domain accounts.

I then connect to SQL Server with Integrated Security = SSPI in the connection string.

This works fine with Microsoft Internet Explorer, it automatically authenticates me as I am logged into the domain, and I can see that the logon_user is my domain account, and the SQL Server connection string works just fine.

However, when I log-in using Firefox, things are different.

Firstly, I am prompted to authenticate, which is fine and correct as Firefox is not configured to trust the localhost enough to automatically send credentials (and indeed I am aware of how to introduce this trust already, this is not the problem). I then login, which again is fine, provided I enter the domain account details everything is fine. Indeed, a debug statement or two show that logon_user is still my domain account and everything is fine.

However, when I come to connect to SQL Server (which is running on a remote server box, to which my domain account has full sysadmin privileges), I get the following error:

Microsoft OLE DB Provider for SQL Server (0x80040E4D)
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

This indicates to me that something is wrong in the authentication stack, for some reason, IIS is not running as the authenticated account when I authenticate using windows authentication from firefox.

This also works fine when using Google Chrome.

Any suggestions?

Answer 1

1. Open Firefox
2. In the address bar type: about:config
3. Firefox3.x and later requires you to agree that you will proceed with caution.
4. After the config page loads, in the filter box type: network.automatic
5. Modify network.automatic-ntlm-auth.trusted-uris by double clicking the row and enter http://www.replacewithyoursite.com
6. Multiple sites can be added by comma delimiting them such as http://www.replacewithyoursite.com, http://www.replacewithyourintranetsite.com

I also use IEtab add-on for the intranet sites

Answer 2

IIS needs to pass a Kerberos ticket to SQL Server for this scenario to work. MSIE is picking up the workstation session ticket, whereas Firefox is negotiating its own authentication (and not Kerberos).

Check out e.g. this dense blog post as a starting point for understanding what is needed. I'm not sure if FF support MS-Kerberos.

Be aware that even getting MSIE->IIS->SQL Server authentication can be tricky if you have the wrong versions or trust configuration...

Answer 3

AS noted by Pontus Gagge, IIS needs to pass a Kerberos ticket to SQL Server. That was enough to tip my Google-fu in the right direction.

Firefox supports Kerberos, but, you have to tell it which domains it trusts to send the Kerberos tokens too.

1. Open Firefox
2. In the address bar type: about:config
3. Firefox3.x and later requires you to agree that you will proceed with caution.
4. After the config page loads, in the filter box type: network.negotiate-auth
5. Modify network.negotiate-auth.trusted-uris by double clicking the row and enter yourdomain.com
6. Multiple domains can be added by comma delimiting them such as yourdomain.com, yourotherdomain.com

Note: This is not the same as gbn's solution which just configures firefox to not prompt you to enter domain account details on login.

Also, if you have already tried to authenticate through the stack in your current Firefox session, you will need to restart Firefox for this to work.