I am not sure I understand what you mean. The below screenshot should be the first thing you see when you go to https://ipaserver.com/ipa/ui/ (unless you need to accept the security exception if the CA is not trusted yet by the browser).

Is a custom configuration applied to the http instance (for instance in /etc/httpd/conf/httpd.conf)?

On Tue, Sep 21, 2021 at 2:13 PM Per Qvindesland via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

There is one thing that i have never really understood, when a user goes to https://ipaserver.com/ipa/ui/ he/she get's a Apache login prompt and has to click cancel a coulple of times before getting to the Ipa login screen.

It seems to be caused by /etc/httpd/conf.d/ipa.conf which has the configuration below, why is that even there when it's not even logging users into Ipa?

<Location "/ipa">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiUseSessions On
  Session On
  SessionCookieName ipa_session path=/ipa;httponly;secure;
  SessionHeader IPASESSION
  # Uncomment the following to have shorter sessions, but beware this may break
  # old IPA client tols that incorrectly parse cookies.
  # SessionMaxAge 1800
  GssapiSessionKey file:/etc/httpd/alias/ipasession.key

  GssapiImpersonate On
  GssapiDelegCcacheDir /run/ipa/ccaches
  GssapiDelegCcachePerms mode:0660
  GssapiDelegCcacheUnique On
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
  Header always append X-Frame-Options DENY
  Header always append Content-Security-Policy "frame-ancestors 'none'"

  # mod_session always sets two copies of the cookie, and this confuses our
  # legacy clients, the unset here works because it ends up unsetting only one
  # of the 2 header tables set by mod_session, leaving the other intact
  Header unset Set-Cookie

  # Disable etag http header. Doesn't work well with mod_deflate
  # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
  # Usage of last-modified header and modified-since validator is sufficient.
  Header unset ETag
  FileETag None
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure