Solved: How do you browse transparenly with Firefox?

keithsauer507 · ‎03-16-2011

We have an issue where some die hard Firefox users are having trouble getting to certain internet sites, or heck certain e-mails cause these same popups by just trying to read the message.

Problem is that these individuals will get a pop up box asking to authenticate. Of course this generates support calls as to what to do in this situation. Sometimes all they have to do is put in their windows sign on name and password, and then it works for some time before asking them again (maybe every hour?). Other times it just dismisses the prompt but generates a blocked page. We normally have a hyperlink at the bottom they can click that says Reauthenticate User, but 99% of the time this hyperlink does not show up, and instead it says:

Base64Decode

error '800a0001'

Bad Base64 string.

/ironport/blocked.asp, line 78

Line 78 on blocked.asp is:

Err.Raise 1, "Base64Decode", "Bad Base64 string."

which is part of this IF statement:

'The source must consists from groups with Len of 4 chars
dataLength = Len(base64String)

If dataLength Mod 4 <> 0 Then
Err.Raise 1, "Base64Decode", "Bad Base64 string."
Exit Function
End If

So I'm not sure if THIS is the reason why Firefox works or what. But to be honest Internet Explorer 7, 8 or 9 all work fine. The Ironport knows who you are because YOU ARE LOGGED IN to windows/AD. So if it knows joe schmoe is logged into the domain at 10.3.5.7, then it shouldn't matter what is generating the http requests from 10.3.5.7 (firefox,ie,chrome,safari,etc...). Since the ironpart is joined to the domain, it should be able to see who's logged on and where.

So what is the workaround to get Firefox to work correctly without any nagging prompts. And even if we have to have nagging prompts due to some Firefox limitation, how can we make it so that when the user enteres their info, it works 100% of the time... or if they mistype something it prompts again without a Base64 decode error on a blocked page?

The issue here is with high level executives who are getting upset because firefox worked 100% fine with a Barracuda web filter and now since migrating to IronPort, it of course is 'broken' to them. Telling them to use IE is a 'workaround' and the typical response is "it worked before".

We did a work around for one user by adding a new identity specifying their IP address and giving their computer a static DHCP reservation. We of course can't do this for every single person!

Thank you for your help!

edadios · ‎03-16-2011

Hello Keith,

Some versions of Firefox do not automatically trust all servers to send transparent credentials to. The newest versions appear to be having the problem.

Please see the following article, and test if this resolves the issue.

http://tinyurl.com/3b2mu7

Regards,

Eric

View solution in original post

edadios · ‎03-16-2011

Hello Keith,

Some versions of Firefox do not automatically trust all servers to send transparent credentials to. The newest versions appear to be having the problem.

Please see the following article, and test if this resolves the issue.

http://tinyurl.com/3b2mu7

Regards,

Eric

keithsauer507 · ‎03-17-2011

Hmm, well in a test scenerio that seems to work. But you have to make sure you go to an allowed site FIRST, then try to access a normally blocked site (like webmail in our case).

So say for 90% of the users web based e-mail is blocked. But for an executive it is not. They must go to our home page first, THEN they can go to their webmail. Otherwise it seems to block the user.

Do you know any reason why sometimes on our blocked page, the link to reauthenticate user does not always show up, and instead we get:

Base64Decode

error '800a0001'

Bad Base64 string.

/ironport/blocked.asp, line 78

Thanks for your help. Hope Firefox 4.0 (to be released 3/22) fixes some of these issues (since some people are reluctant to use IE for whatever reason).

hallvard.solem · ‎03-21-2011

Remember to put the Transparent Authentication Redirect Hostname in your DNS as well.