[Freeipa-users] Problems with web console in IPA
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 27 13:08:10 UTC 2016
On Wed, 27 Jul 2016, Baird, Josh wrote:
>Hi,
>
>We are running the most recent IPA packages in RHEL7 and are facing a
>few issues when accessing the web console:
>
>First, since we utilize a Kerberos trust with AD, we had to create
>'internal' IPA users that we use to login to the web console. I
>believe it is expected that AD users cannot login to the web console,
>but this may be coming in a future version?
Correct. Not supported right now.
>
>Secondly, when we browse to the web console from a Windows system that
>is joined to our AD domain, we first see a 'basic auth' popup that asks
>us for our user credentials. No username or password is accepted here.
>If we hit 'Escape' the normal IPA forms-based authentication appears.
>We are able to login via this form. What is causing the 'basic auth'
>popup?
In short -- bugs in your browser, specifically, in Chrome. Chrome is
pretty bad in its handling of Negotiate authentication response, it does
assume too much and don't use proper negotiation flow.
mod_auth_gssapi has some way to handle it other than completely
disabling Negotiate header but it is still not a fully solved problem.
https://github.com/modauthgssapi/mod_auth_gssapi/pull/65 has more
details.
>Lastly, we are not able to login *unless* we use Chrome's 'incognito
>mode.' If we browse to the web console in a normal browser, we first
>have to escape out of the 'basic-auth' window, but after we input our
>username/password into the form, another 'basic-auth' window pops up.
>If we escape out of this, the forms based login now displays 'Your
>session has expired. Please re-login.' Because of this, we *have* to
>use Chrome's incognito function.
That's Chrome bug when Negotiate fails but still offered by the server.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list