On Wed, 27 Jul 2016, Baird, Josh wrote:

We are running the most recent IPA packages in RHEL7 and are facing a
few issues when accessing the web console:

First, since we utilize a Kerberos trust with AD, we had to create
'internal' IPA users that we use to login to the web console.  I
believe it is expected that AD users cannot login to the web console,
but this may be coming in a future version?
Correct. Not supported right now.

Secondly, when we browse to the web console from a Windows system that
is joined to our AD domain, we first see a 'basic auth' popup that asks
us for our user credentials.  No username or password is accepted here.
If we hit 'Escape' the normal IPA forms-based authentication appears.
We are able to login via this form.  What is causing the 'basic auth'
In short -- bugs in your browser, specifically, in Chrome. Chrome is
pretty bad in its handling of Negotiate authentication response, it does
assume too much and don't use proper negotiation flow.

mod_auth_gssapi has some way to handle it other than completely
disabling Negotiate header but it is still not a fully solved problem.
https://github.com/modauthgssapi/mod_auth_gssapi/pull/65 has more

Lastly, we are not able to login *unless* we use Chrome's 'incognito
mode.'  If we browse to the web console in a normal browser, we first
have to escape out of the 'basic-auth' window, but after we input our
username/password into the form, another 'basic-auth' window pops up.
If we escape out of this, the forms based login now displays 'Your
session has expired.  Please re-login.'  Because of this, we *have* to
use Chrome's incognito function.
That's Chrome bug when Negotiate fails but still offered by the server.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to