#5614 [tracker] mod_auth_gssapi additional NTLM auth request from Chrome
Opened 8 years ago by rcritten. Modified 4 years ago

Users are reporting a browser login popup in Windows Chrome (and IE?) browsers when attempting to log in to the IPA web UI.

According to Simo this is Chrome attempting to do NTLM auth by prompting the user for credentials.

An option is being worked on in upstream mod_auth_gssapi to not send additional WWW-Authenticate: negotiate requests: https://github.com/modauthgssapi/mod_auth_gssapi/pull/65

The pull request has more gory details on what is happening and why this wasn't seen in mod_auth_kerb.


Just FYI, I have looked at the code again and compared to what mod_auth_kerb did and I am not sure we have a way to handle this w/o disabling SSO completely.

mod_auth_gssapi 1.3.2 is now pushed to F23 stable, it includes a new setting that may alleviate these issues.

The login popup is still reproducible on Windows with both MS Edge and Chrome. I tested MS Edge 38.14393 and Chrome 55.0.2883 on Windows 10 with https://ipa.demo1.freeipa.org/. In both browsers https://ipa.demo1.freeipa.org/ipa/session/login_kerberos triggers a login popup ("WWW-Authenticate: Negotiate" and HTTP Status code "401 Unauthorized"). The login popup is not reproducible with Google Chrome and Chromium on Linux.

After further testing I'm able to confirm that Chrome on Windows and Edge always show a username/password pop-up for a 401 response with "WWW-Authenticate: Negotiate" header. The Python script "negotiate_srv.py" is a minimal reproducer for the issue.

I haven't found a way to suppress the login window.

Metadata Update from @rcritten:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Fixed upstream in mod_auth_gssapi.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

As far as I understand upstream added the GssapiNegotiateOnce option. Shouldn't it be enabled by default in FreeIPA?

I suppose we could add the workaround to /etc/httpd/conf.d/ipa.conf ala:

...
<Location "/ipa">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  BrowserMatch MSIE gssapi-no-negotiate
...

Metadata Update from @rcritten:
- Issue status updated to: Open (was: Closed)

4 years ago

Adding the GssapiNegotiateOnce option to the httpd conf works perfectly since quite a while for us.

Login to comment on this ticket.

Metadata