Chrome in Windows is trying to be helpful and present your windows-based
Kerberos credentials to FreeIPA.

To "fix" this, you either disable Kerberos in Chrome (not sure how to do
that) or change your FreeIPA httpd config a bit:

# /etc/httpd/conf.d/ipa.conf line 64 or thereabouts, the <Location "/ipa">
section:
    <If "%{HTTP_USER_AGENT} !~ /Chrome/">
      AuthType GSSAPI
      AuthName "Kerberos Login"
      GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
      GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
      GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
      GssapiUseS4U2Proxy on
      Require valid-user
      ErrorDocument 401 /ipa/errors/unauthorized.html
    </If>

Hope this helps, if there's a better way, someone please let me know :)

-Anthony


On Thu, Jun 23, 2016 at 2:11 PM, Prasun Gera <prasun.g...@gmail.com> wrote:

> Image attached. I don't use Windows much, but I noticed this on a windows
> machine with Chrome. Before the actual login page is displayed, this login
> dialog is displayed. Further, the credentials don't work in this dialog.
>
> Env: RHEL 7.2, idm 4.x
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to