Thanks for the explanation. I figured that's what it was for but it was not clear as to how to disable it.
It does make sense that Kerberos/NTLM is processed before forms based authentication. If someone is logging in with Kerberos/NTLM credentials, they should get authenticated transparently and never see the form. Being brand new to FreeIPA, I was not familiar with the where/how to modify the modules and/or priorities. Glad this forum exists! Thanks for the great support! Really appreciate it! Jeff Hochberg Solutions Architect - Network Services Cloudflare On Fri, May 19, 2023, 5:17 AM Ahti Seier <[email protected]> wrote: > For some extra context. This has to do with "Negotiate" authentication. > > It is there to allow single sign on via Kerberos. However on Windows, if > "Negotiate" with kerberos fails, the browser will try to fall back to try > NTLM (which, I think, freeIPA does not support anyway). Browser asks for > your password to set up the NTLM hashes. Why it does this before checking > if NTLM is available escapes me. When browser sends the first Negotiate > authorization header with NTLMSSP content (which is a negotiation type > message that does not contain any user information) it receceives 401 and > does not continue. So in reality it is not "Basic Auth". > > I believe some of the tools accessing freeIPA API may be using this > kerberos authentication. Most likely the "ipa" command also uses this. If > you are authenticated as a freeIPA user and have kerberos properly set up > you can get SSO via this. You can also set up your users in a "trusted" AD > domain to authenticate in the web interface using Negotiate with kerberos > tickets without a password. So it is sometimes beneficial (even on Windows). > > The first "fix" disables "Negotiate" authentication for windows clients. > Which means kerberos login for trusted AD users (if set up) will not work. > The second one disables "Negotiate" authentication for all web UI users > (even those that are not using windows). > > Kontakt Jeff Hochberg via FreeIPA-users (< > [email protected]>) kirjutas kuupƤeval N, 18. mai 2023 > kell 20:34: > >> Amazing! >> >> I decided to try both your suggested fix as well as the fix suggested in >> one of the linked posts - both worked. >> >> Your fix: >> 1. Create /etc/httpd/conf.d/no-login-popup.conf >> 2. Add the following text: >> >> BrowserMatch Windows gssapi-no-negotiate >> >> 3, Save and restart httpd >> >> I also tested the proposed fix in this post: >> >> https://jdshewey.blogspot.com/2017/08/fixing-annoying-popup-in-freeipa.html >> >> 1. Edited /etc/httpd/conf.d/ipa-rewrite.conf >> 2. Added the following to the bottom of the file: >> >> #The following disables the annoying kerberos popup for Chrome >> RewriteCond %{HTTP_COOKIE} !ipa_session >> RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$ >> RewriteRule ^/ipa/session/json$ - [R=401,L] >> RedirectMatch 401 ^/ipa/session/login_kerberos >> >> 3, Restarted httpd >> >> I agree with you - I'd have to think others run into this as well. At the >> very least, there should be an option to enable/disable this in the FreeIPA >> dashboard. >> >> Thanks for the assistance!!! >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
