New issue
Advanced search Search tips

Issue 671959 link

Starred by 2 users
Status: Archived
Owner: ----
Closed: Jun 2017
Cc:
asanka@chromium.org
pbomm...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Google Chrome keeps using expired kerberos tickets on MacOS

Reported by sorin.sb...@gmail.com, Dec 7 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36

Steps to reproduce the problem:
1. Get valid kerberos ticket (Ticket Viewer)
2. Open Chrome and test the kerberos ticket
3. Wait till the kerberos ticket expires
4. Renew the kerberos ticket
5. Test Chrome kerberos login again, it will fail, even if the Ticket Viewer  or klist command to both report a valid ticket.
6. Restart Chrome
7. Test kerberos again. now it works.

What is the expected behavior?
Chrome should reload expired and renewed kerberos tickets without needing restart.

What went wrong?
Application fail to login using Kerberos tickets.

Did this work before? N/A 

Chrome version: 55.0.2883.75  Channel: stable
OS Version: OS X 10.12.1
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by sorin.sb...@gmail.com, Dec 7 2016 

Please review the restriction on this ticket because it does not need any privacy, nobody can take any advantage out of this bug.

Comment 2 by rsesek@chromium.org, Dec 7 2016

Components: Internals>Network>Auth
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug

Comment 3 by ranjitkan@chromium.org, Dec 8 2016

Labels: M-55

Comment 4 by pbomm...@chromium.org, Dec 8 2016

Cc: asanka@chromium.org pbomm...@chromium.org
Labels: prestable-55.0.2883.75
cc'ing asanka@ for more insights on the bug.

Comment 5 by ranjitkan@chromium.org, Dec 13 2016

Labels: TE-NeedsTriageHelp

Comment 6 by sorin.sb...@gmail.com, Dec 15 2016 

Please let me know if I can help with anything regarding this bug, is easy to replicate and I think that this ticket could also cover the case where a kerberos ticket did not exist or was expired the moment Chrome was started.

If the ticket appeared later Chrome will fail to pick it up, requiring you to restart the browser.

I think that Chrome should refresh the list of kerberos tickets from time to time (like 5 minutes), avoiding a restart. Another alternative would be to remember when you refreshed the list of tokens and if when doing the SPNEGO handshake to attempt to refresh the list if last check was n-minutes ago.

Is there any command I can execute to force Chrome to refresh without having to restart it?

Comment 7 by asanka@chromium.org, Jun 1 2017

Labels: Needs-Feedback
You are renewing the ticket after it expires? I'm guessing, you mean you obtain new tickets using the credentials in your keychain? Once the tickets expire, they can't be renewed.

Could you specify how you are testing Kerberos login?

Also, does 'klist -l' show more than one credentials cache?

Apologies for the delay in getting to this.

Comment 8 by mmenke@chromium.org, Jun 14 2017

Status: Archived (was: Unconfirmed)
[sorin.sbarnea] Archiving bug due to lack of response to comment #7.  If you're still having the issue, please post back with the requested information within a couple days, and I'll reopen it.

Sign in to add a comment