[Freeipa-users] Re: Eliminating Basic Auth Prompt When Accessing FreeIPA Direct

For some extra context. This has to do with "Negotiate" authentication. It is there to allow single sign on via Kerberos. However on Windows, if "Negotiate" with kerberos fails, the browser will try to fall back to try NTLM (which, I think, freeIPA does not support anyway). Browser asks for your password to set up the NTLM hashes. Why it does this before checking if NTLM is available escapes me. When browser sends the first Negotiate authorization header with NTLMSSP content (which is a negotiation type message that does not contain any user information) it receceives 401 and does not continue. So in reality it is not "Basic Auth". I believe some of the tools accessing freeIPA API may be using this kerberos authentication. Most likely the "ipa" command also uses this. If you are authenticated as a freeIPA user and have kerberos properly set up you can get SSO via this. You can also set up your users in a "trusted" AD domain to authenticate in the web interface using Negotiate with kerberos tickets without a password. So it is sometimes beneficial (even on Windows). The first "fix" disables "Negotiate" authentication for windows clients. Which means kerberos login for trusted AD users (if set up) will not work. The second one disables "Negotiate" authentication for all web UI users (even those that are not using windows). Kontakt Jeff Hochberg via FreeIPA-users (< freeipa-users(a)lists.fedorahosted.org>) kirjutas kuupäeval N, 18. mai 2023 kell 20:34: