Florence Renaud via FreeIPA-users wrote:
Hi,
I am not sure I understand what you mean. The below screenshot should be
the first thing you see when you go to
https://ipaserver.com/ipa/ui/
(unless you need to accept the security exception if the CA is not
trusted yet by the browser).
Is a custom configuration applied to the http instance (for instance in
/etc/httpd/conf/httpd.conf)?
IIRC some browsers, notably on Windows, when the initial GSSAPI
handshake fails because there is no ticket, may either throw an error
because they are trying NTLM auth or don't understand the basic fallback.
What browser(s) are you seeing the issue on?
Note that this particular block protects all of /ipa auth (CLI, UI, etc)
so it is not something we recommend disabling or tweaking.
rob
flo
On Tue, Sep 21, 2021 at 2:13 PM Per Qvindesland via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Hi
There is one thing that i have never really understood, when a user
goes to
https://ipaserver.com/ipa/ui/ he/she get's a Apache login
prompt and has to click cancel a coulple of times before getting to
the Ipa login screen.
It seems to be caused by /etc/httpd/conf.d/ipa.conf which has the
configuration below, why is that even there when it's not even
logging users into Ipa?
'
Regards
Per
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
# Uncomment the following to have shorter sessions, but beware
this may break
# old IPA client tols that incorrectly parse cookies.
# SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
GssapiImpersonate On
GssapiDelegCcacheDir /run/ipa/ccaches
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors
'none'"
# mod_session always sets two copies of the cookie, and this
confuses our
# legacy clients, the unset here works because it ends up
unsetting only one
# of the 2 header tables set by mod_session, leaving the other intact
Header unset Set-Cookie
# Disable etag http header. Doesn't work well with mod_deflate
#
https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is
sufficient.
Header unset ETag
FileETag None
</Location>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure