For some extra context. This has to do with "Negotiate" authentication.
It is there to allow single sign on via Kerberos. However on Windows, if
"Negotiate" with kerberos fails, the browser will try to fall back to try
NTLM (which, I think, freeIPA does not support anyway). Browser asks for
your password to set up the NTLM hashes. Why it does this before checking
if NTLM is available escapes me. When browser sends the first Negotiate
authorization header with NTLMSSP content (which is a negotiation type
message that does not contain any user information) it receceives 401 and
does not continue. So in reality it is not "Basic Auth".
I believe some of the tools accessing freeIPA API may be using this
kerberos authentication. Most likely the "ipa" command also uses this. If
you are authenticated as a freeIPA user and have kerberos properly set up
you can get SSO via this. You can also set up your users in a "trusted" AD
domain to authenticate in the web interface using Negotiate with kerberos
tickets without a password. So it is sometimes beneficial (even on Windows).
The first "fix" disables "Negotiate" authentication for windows
clients.
Which means kerberos login for trusted AD users (if set up) will not work.
The second one disables "Negotiate" authentication for all web UI users
(even those that are not using windows).
Kontakt Jeff Hochberg via FreeIPA-users (<
freeipa-users(a)lists.fedorahosted.org>) kirjutas kuupäeval N, 18. mai 2023
kell 20:34:
Amazing!
I decided to try both your suggested fix as well as the fix suggested in
one of the linked posts - both worked.
Your fix:
1. Create /etc/httpd/conf.d/no-login-popup.conf
2. Add the following text:
BrowserMatch Windows gssapi-no-negotiate
3, Save and restart httpd
I also tested the proposed fix in this post:
https://jdshewey.blogspot.com/2017/08/fixing-annoying-popup-in-freeipa.html
1. Edited /etc/httpd/conf.d/ipa-rewrite.conf
2. Added the following to the bottom of the file:
#The following disables the annoying kerberos popup for Chrome
RewriteCond %{HTTP_COOKIE} !ipa_session
RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
RewriteRule ^/ipa/session/json$ - [R=401,L]
RedirectMatch 401 ^/ipa/session/login_kerberos
3, Restarted httpd
I agree with you - I'd have to think others run into this as well. At the
very least, there should be an option to enable/disable this in the FreeIPA
dashboard.
Thanks for the assistance!!!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue