Florence Renaud via FreeIPA-users wrote:
IIRC some browsers, notably on Windows, when the initial GSSAPI
handshake fails because there is no ticket, may either throw an error
because they are trying NTLM auth or don't understand the basic fallback.
What browser(s) are you seeing the issue on?
I see this on Windows 10 Home with Chrome 93.0.4577.82 (and older versions).
I get two login prompts - the first is caused by a POST to /ipa/session/json resulting in
a 401.
The second is caused by a GET for /ipa/session/login_kerberos?_=<some timestamp>.
Both responses have the WWW-Authenticate: Negotiate header.
I happen to have MIT Kerberos for Windows installed--that may or may not be relevant.
I've not (as far as I remember) configured Chrome to try to use SPNEGO to talk to my
IPA servers so this may not be relevant.
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9