[Freeipa-users] Re: How to disable browser-based Kerberos?

[Robbie Harwood via FreeIPA-users]

Anthony Clark via FreeIPA-users 
writes:

> Please ignore, bad copy and paste.
>
> Version 22 of the ipa.conf (the second pasted config section) is the one
> that works correctly.
>
> Is there a way to disable Kerberos browser-side popup password box in
> version 27 of the ipa.conf file?

My apache configuration knowledge is not deep enough to answer your
question directly.  However:

If I understand what you're asking: the error is caused by Windows
browsers (chrome, IE, and edge but not firefox) not handling GSSAPI
negotiate requests correctly.  We have added a new feature to
mod_auth_gssapi for this - set the environment variable

BrowserMatch Windows gssapi-no-negotiate

and Windows clients will not see the box.

(This feature was added in mod_auth_gssapi version 1.6.0, which is in
fedora >= 27; this feature will also be a part of el7.5.)

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: How to disable browser-based Kerberos?

[Anthony Clark via FreeIPA-users]

Please ignore, bad copy and paste.

Version 22 of the ipa.conf (the second pasted config section) is the one
that works correctly.

Is there a way to disable Kerberos browser-side popup password box in
version 27 of the ipa.conf file?

Apologies for the confusion :(

On Sat, Dec 30, 2017 at 11:04 AM, Anthony Clark 
wrote:

> In the previous versions of FreeIPA, this worked to disable the
> browser-side Kerberos login prompt:
>
> # version 27 ipa.conf
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
> 
>   
>   AuthType GSSAPI
>   AuthName "Kerberos Login"
>   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
>   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
>   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
>   GssapiDelegCcacheUnique On
>   GssapiUseS4U2Proxy on
>   GssapiAllowedMech krb5
>   Require valid-user
>   ErrorDocument 401 /ipa/errors/unauthorized.html
>   
>   WSGIProcessGroup ipa
>   WSGIApplicationGroup ipa
>   Header always append X-Frame-Options DENY
>   Header always append Content-Security-Policy "frame-ancestors 'none'"
> 
>
> I've been asked to disable the password dialog popup because it is
> confusing to end users.
>
> Before, in ipa.conf this worked to disable the dialog popup:
>
> # version 22 ipa.conf
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
> 
>   
>   AuthType GSSAPI
>   AuthName "Kerberos Login"
>   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
>   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
>   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
>   GssapiDelegCcacheUnique On
>   GssapiUseS4U2Proxy on
>   GssapiAllowedMech krb5
>   Require valid-user
>   ErrorDocument 401 /ipa/errors/unauthorized.html
>   
>   WSGIProcessGroup ipa
>   WSGIApplicationGroup ipa
>   Header always append X-Frame-Options DENY
>   Header always append Content-Security-Policy "frame-ancestors 'none'"
> 
>
> But inserting the "If useragent = chrome/ie" now just gives me a
> "forbidden" popup.
>
> Does anyone know of a way to disable the browser's Kerberos password popup?
>
> Thanks,
>
> Anthony Clark
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org