Hi There is one thing that i have never really understood, when a user goes to
https://ipaserver.com/ipa/ui/ he/she get's a Apache login prompt and has to click
cancel a coulple of times before getting to the Ipa login screen.It seems to be caused by
/etc/httpd/conf.d/ipa.conf which has the configuration below, why is that even there when
it's not even logging users into Ipa?'RegardsPer<Location "/ipa">
AuthType GSSAPI AuthName "Kerberos Login" GssapiUseSessions On Session On
SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION #
Uncomment the following to have shorter sessions, but beware this may break # old IPA
client tols that incorrectly parse cookies. # SessionMaxAge 1800 GssapiSessionKey
file:/etc/httpd/alias/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir
/run/ipa/ccaches GssapiDelegCcachePerms mode:0660 GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401
/ipa/errors/unauthorized.html WSGIProcessGroup ipa WSGIApplicationGroup ipa Header
always append X-Frame-Options DENY Header always append Content-Security-Policy
"frame-ancestors 'none'" # mod_session always sets two copies of the
cookie, and this confuses our # legacy clients, the unset here works because it ends up
unsetting only one # of the 2 header tables set by mod_session, leaving the other intact
Header unset Set-Cookie # Disable etag http header. Doesn't work well with
mod_deflate #
https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 # Usage of
last-modified header and modified-since validator is sufficient. Header unset ETag
FileETag None</Location>