SN 740: Credential Delegation

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Can anyone get Credential Delegation working with the test site?

From the doc there is the test link that Steve mentioned:
We’ve also set up a test endpoint for others to try delegated credentials.

I enabled the feature in about:config and I restarted my browser just in case, but either way I get a warning about an invalid certificate:

The only thing I can think that may be different is that I am not using Cloud Flare as my DoH provider (using Quad9.)

Same thing for me, seems to require Cloud Flare to work properly so I turned it off again.

What about getting DoH to work on Chrome or Edge? Tried configuring Edge and Chrome on Windows 10, no luck. Chrome on macOS, no luck. After enabling chrome://flags/#dns-over-https then check using Same with edge://flags/#dns-over-https, no luck. Firefox on macOS works fine.

The option doesn’t seems to be in the mobile version of Firefox. No -delegated- string in about:config. May be that’s because it’s still at Ver. 68.

Did you restart the browser after changing the flags?

Yes, multiple times I relaunched the browsers. When you enable the option, a prompt button is displayed. @PHolder, were you able to make this work?

Well I don’t use Chrome, but I do have it installed. I don’t see any way in the settings to specify the DoH URL or indeed any DNS setting. This means, even if you attempt to enabled it, that it is going to use the DNS setting of the system to lookup the correct DoH URL. So the question for you would be if you’re using for your DNS on your system (i.e. outside of Chrome)?

Yes, I already had my router set to use which overrides default Comcast.

Chrome Debug Results

Using FireFox

Firefox Debug Results

Well, basic debug steps… make sure you’re using the DNS you think you are… just for safety. The reason I bring this up is that Firefox has a setting to override your system whereas Chrome does not. On Windows, bring up a CMD window and check ipconfig/all, here’s what mine reports:

Microsoft Windows [Version 10.0.18363.476]
(c) 2019 Microsoft Corporation. All rights reserved.
Windows IP Configuration
Ethernet adapter Ethernet:
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :

And when I check my router I can confirm the use of (in my case) for DNS.

You could also, on the same command prompt, do nslookup to see which server is in use:

Microsoft Windows [Version 10.0.18363.476]
(c) 2019 Microsoft Corporation. All rights reserved.
Default Server:

@PHolder, can you share your results from running

It would be pointless, I’m not using CloudFlare for DNS.

@PHolder, understandable, but then by what source do you use to confirm your DoH is working?

I’ll be honest… I don’t really have a good answer for you… I’ve never actually verified it worked. I had though at one point I would temporarily intentionally break the normal DNS on the system and have it only have DoH and see if it still got resolution, but I never got around to that testing.