For some extra context. This has to do with "Negotiate" authentication.
It is there to allow single sign on via Kerberos. However on Windows, if "Negotiate" with kerberos fails, the browser will try to fall back to try NTLM (which, I think, freeIPA does not support anyway). Browser asks for your password to set up the NTLM hashes. Why it does this before checking if NTLM is available escapes me. When browser sends the first Negotiate authorization header with NTLMSSP content (which is a negotiation type message that does not contain any user information) it receceives 401 and does not continue. So in reality it is not "Basic Auth". I believe some of the tools accessing freeIPA API may be using this kerberos authentication. Most likely the "ipa" command also uses this. If you are authenticated as a freeIPA user and have kerberos properly set up you can get SSO via this. You can also set up your users in a "trusted" AD domain to authenticate in the web interface using Negotiate with kerberos tickets without a password. So it is sometimes beneficial (even on Windows). The first "fix" disables "Negotiate" authentication for windows clients. Which means kerberos login for trusted AD users (if set up) will not work. The second one disables "Negotiate" authentication for all web UI users (even those that are not using windows). Kontakt Jeff Hochberg via FreeIPA-users (< [email protected]>) kirjutas kuupƤeval N, 18. mai 2023 kell 20:34: > Amazing! > > I decided to try both your suggested fix as well as the fix suggested in > one of the linked posts - both worked. > > Your fix: > 1. Create /etc/httpd/conf.d/no-login-popup.conf > 2. Add the following text: > > BrowserMatch Windows gssapi-no-negotiate > > 3, Save and restart httpd > > I also tested the proposed fix in this post: > https://jdshewey.blogspot.com/2017/08/fixing-annoying-popup-in-freeipa.html > > 1. Edited /etc/httpd/conf.d/ipa-rewrite.conf > 2. Added the following to the bottom of the file: > > #The following disables the annoying kerberos popup for Chrome > RewriteCond %{HTTP_COOKIE} !ipa_session > RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$ > RewriteRule ^/ipa/session/json$ - [R=401,L] > RedirectMatch 401 ^/ipa/session/login_kerberos > > 3, Restarted httpd > > I agree with you - I'd have to think others run into this as well. At the > very least, there should be an option to enable/disable this in the FreeIPA > dashboard. > > Thanks for the assistance!!! > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
