Firefox doesn't show the kerberos challenge
I'm building an app behind IIS. IIS manages authentication and reverse proxy to my app.
in IIS :
- anonymous Authentication disabled
- Asp.net impersonation disabled
- Windows authentication enabled, provider enabled ONLY Negociate:Kerberos
- my app is joinable through http://thot.test.local
I think my IIS configuration is fine (app pool account liked to spn etc.) because I can access my app through Chrome and solve the kerberos challenge without any problem. Chrome shows me the login popup, I fill my credentials then I can login and see my app.
Firefox actual behaviour :
- trying to reach http://thot.test.local
- firefox doesn't show the login popup
- firefox shows this IIS error page instead
Things I've tried in about:config in Firefox
- added thot.test.local to network.negotiate-auth.trusted-uris
- added thot.test.local to network.negotiate-auth.delegation-uris
But no result
Below is the http header returned by IIS to Firefox :
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate
Date: Mon, 30 Jun 2025 21:19:29 GMT
Content-Length: 5931
That's the intended behavior. Firefox does not support prompting for explicit credentials (and indeed the majority of Kerberos client applications don't); it only uses "ambient" credentials, i.e. what SSPI or GSSAPI can obtain without prompting.
Chrome and Internet Explorer (which achieve this using Windows-specific SSPI APIs) are more of an exception, not the rule.
If you are on Windows and are using a local (non-domain) Windows account, store your domain credentials in the Windows Credential Vault, e.g. using cmdkey /add:*.example.com. SSPI will automatically obtain Kerberos tickets when Firefox requests them.
If you are on Linux, the GSSAPI (Unix equivalent of Microsoft SSPI) doesn't even have the ability to use explicit credentials; Firefox could still have implemented it by using raw Krb5 APIs but generally speaking that's just not something GSSAPI-using Kerberos client software tend to do at all.
- Drag and drop API bugs/strange behavior on Firefox and Chrome
- Increase code font size in firefox developer tool
- firefox browser settings to avoid appearance of menu bar or task bar in full screen when pointing mouse on the top of the screen
- Misunderstood Secure Context of Web Crypto API?
- navigator.clipboard.readText() is not working in Firefox
- How to clear indexeddb data in firefox?
- Firefox Add-on Delete event listener
- Can modern Firefox addons/extensions edit user preferences (i.e. about:config properties)?
- How to connect to an existing firefox instance using selenium (python)
- paste data from clipboard using document.execCommand("paste"); within firefox extension
- Why Chrome and Firefox do not have the same behaviour with CORS ajax call with basic auth?
- Why is my a:hover CSS working differently in Firefox?
- Save base64 string as PDF at client side with JavaScript
- Is there a built-in markdown flavor for Firefox?
- How does jemalloc work? What are the benefits?
- Word-break:break-word not working in Firefox 21
- Firefox "Couldn't Load XPCOM" error won't go away, even after uninstalling Firefox
- Prevent the parent page from scrolling when the mouse cursor is over an embedded iframe in Firefox
- Is there a way to make Firefox ignore invalid ssl-certificates?
- IE not displaying content of table UL
- Consume WCF with JavaScript but keep it generic enough for all clients?
- The extension ID is required in Manifest Version 3 and above. Firefox Error in manifest
- Script stack space exhausted firefox
- How can I have multiple rows with tabs on Firefox 57+ (Add-on "Tab Mix Plus" no longer works)?
- Can I create a bookmarklet button with icon?
- No padding when using overflow: auto
- HTML5 Canvas slow on Chrome, but fast on FireFox
- How to get URL of shop in Shopify embeded app?
- Difference TypeError and ReferenceError
- Where to write the receiving code for message sent from contentscript?