Whenever I try to access a NTLM authenticated intranet site, Safari takes forever to process and then comes back with "The sever is unavailable" or if allowed by the site, loads with out authenticating. I can access these same sites with no problems in both Firefox and Internet Explorer. The sites are hosted on IIS6 and are being generated with either ASP, ASP.Net 1.1 or ASP.Net 2.0.
Any insight on why Safari choking on these sites? Are there any work-arounds to get NTLM to correctly authenticate with Safari?
Update:
In further playing with it I have determined that NTLM will work (with the page loading reasonably fast) if I am using the FQDN for the site (i.e. http://mysite doesn't work, but http://mysite.domain.prv will work). Unfortunately, this will not work due to other constraints on the project.
Does anyone know why the FQDN would work but the shorter name will not? Is this something that can be worked around or is it "Sorry out of luck"?
Update 2:
According to the Wireshark packet sniffer, safari sends a SYN to the correct severs IP address. The intranet sever responds with a SYN, ACK, to which safari sends an ACK. This is the end in communication between safari and the sever. When attempting to access the intranet site by FQDN these three packets were the same but were then followed by a HTTP GET request, which then successfully loaded the page.
Because Safari is connecting to the correct IP address, I find it hard to believe that Safari just doesn't support NetBIOS/WINS names. Additionally, because the NTLM packets are never exchanged as safari never sends the initial GET request, I'm certain that NTLM has nothing to do with this issue.
Does anyone know the status of safari's support of NetBIOS/WINS?
In a similar situation with a Java based B2B client, I was successful in using http://ntlmaps.sourceforge.net/ to traverse the proxy.
Any insight on why Safari choking on these sites?
Because NTLM is not a web standard. You can't expect any given web browser to support it.
Until recently only IE supported it at all. And Firefox's support has to be specifically configured.
Firefox has always been able to traverse NTLM sites. I know because I'm stuck with this god awful custom ASP solution and SharePoint site to use in our intranet... Firefox is a dream.
Apple.. fix Safari kthx?
Related
app.run(host='0.0.0.0',port=443,threaded=True,ssl_context=(
'certs/mydomain.com_bundle.crt',
'certs/mydomain.com.key'),debug=False)
This is my code in flask.
The strange things is, I can use PCs like MAC OS and WINDOWS to enter the website using HTTPS, no warnings at all and all certificates are shown as secured. But I just can't enter it using my mobile devices like my phone and my android tablet. Haven't tried iPad or iPad pro yet cause I don't have one.
All errors are "REFUSED TO CONNECT". That seems pretty much to be a problem in the program.
However if I switch it to HTTP & PORT=80 , I can enter it using basically all devices.
So does anyone know how to allow mobile devices to enter it using HTTPS as well?
My bad.
For some unknown reasons, my phone's browser didn't use HTTPS, it used HTTP as url proxy instead.
In the best of my knowledge, most browsers set HTTPS as the first priority for connections, yet the chromes in both of my mobile devices used HTTP, so did the default browsers...
So changing the url proxy to HTTPS fixed the problem, just that simple.
Website is not loading on Safari browser with SSL. Site is running on https (SSL) layer. Please refer attached screenshot to know more.
click here to see screenshot
P.S. I am using Windows 10 & SSL purchased from Godaddy
Safari refuses to connect to servers that don't match the minimum security requirements defined by Apple.
For example and example.
It will be necessary to contact the administrator of the server to be compliant with the standards or you can try a different browser (try IE, it never complains).
I am developing a Drupal site, within which is a page with an iframe, displaying an external SQL Reporting server driven site.
This iframed site is protected on by HTTP authentication. In all browsers, apart from Chrome, when the page is viewed, the browser driven login box pops up.
In Chrome (Windows & OS X), no login box appears and I get an immediate 401 error from the SQL Reporting Server. I've cleared cache's and even tried on a fresh chrome installation on a VM.
The above method works fine on the clients existing live site, which is ASP driven. Other than CMS technology, the only other obvious difference is domains.
The working live site is referencing a sub domain of itself in the iframe. The development site is referencing a completely different domain.
I've tried /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -–allow-cross-origin-auth-prompt, which seems to make no difference.
Does Chrome have much tighter cross domain login rules? Or am I missing something else?
According to the devs at chromium, this was an intentional change to protect against phishing attacks. If you say the prod sites reference the same domain, you shouldn't have any issues.
http://code.google.com/p/chromium/issues/detail?id=91814
To switch the (in my mind stupid) security-feature off set Browser flag:
--allow-cross-origin-auth-prompt
In Linux close all Browser Instances and type in terminal:
chromium-browser --allow-cross-origin-auth-prompt
For Windows, Mac, Android... take a look here: http://www.chromium.org/developers/how-tos/run-chromium-with-flags
See http://www.chromium.org/administrators/policy-list-3#AllowCrossOriginAuthPrompt for the policy that can be set versus using flags.
On Windows this can be set via the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome. See http://www.chromium.org/administrators/policy-templates for more information.
Our web application uses Windows Integrated Authentication (aka NTLM Auth) for security.
It's working fine for both IE and Firefox users, but Safari users are seeing intermittent problems. Browsing the site will work fine, but every once in a while there will be problems loading elements of a page (e.g. CSS or JS files). Reload and the problem will go away.
If we use a debugging proxy (Fiddler) we can see that there is a lot of extra 401 requests happening with Safari. Every once in a while a request for a resource will get stuck in a 401 request loop, and eventually fail.
I can't see anything that we're doing to cause this, and it would appear that it's a bug in Safari. Has anyone ran across this issue before, and have any suggestions for a resolution?
Thanks,
Darren.
Some web sites http://www.musteat.org/nodes/show/151 indicate this is an issue with negotiated authentication.
You can turn off Negotiate in favor of pure NTLM in IIS via the NTAuthenticationProviders Metabase setting, and the following ADSUTIL command.
cscript adsutil.vbs set w3svc/WebSite/<SiteID>/NTAuthenticationProviders "NTLM"
Change < SiteID > to the appropriate ID, typically 1.
I have an Intranet http application running on several machines in our Windows domain; everything works when using IE 7 because I can configure it to use Kerberos authentication and I've figured out how to get one of the intermediate machines to be Trusted for Delegation.
I have researched and tried to get Firefox 3.0.10 to use Kerberos:
navigate to about:config
filter to network.negotiate
update network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris
with the following entries(separated by comma): http://jupiter2000/trimbrokerclient,http://johnxp/fileservicedemo
I have done this and even restarted Firefox and when I browse to the above sites on our LAN, I still get prompted for username and password and even when I supply them and the web page is loaded, I have some code in the app which displays the authentication method in effect and it is still NTLM, not Kerberos as when IE is used.
Can someone comment on how to get Firefox usable on this Intranet application of mine? Thank you.
p.s. while the names above are different, the app is the same. JUPITER2000 is IIS 6.0; JOHNXP is IIS 5.1.
From what I have done myself, you will only want to input the domain, and not the http:// or path.
There are 5 settings that need to be changed in FireFox.
Only the domain is necessary.
See them all here:
FireFox settings for Integrated Windows Authentication
you must use just the server name:
jupiter2000,johnxp