In the previous versions of FreeIPA, this worked to disable the browser-side Kerberos login prompt:
# version 27 ipa.conf # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/"> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </If> WSGIProcessGroup ipa WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" </Location>
I've been asked to disable the password dialog popup because it is confusing to end users.
Before, in ipa.conf this worked to disable the dialog popup:
# version 22 ipa.conf # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/"> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </If> WSGIProcessGroup ipa WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" </Location>
But inserting the "If useragent = chrome/ie" now just gives me a "forbidden" popup.
Does anyone know of a way to disable the browser's Kerberos password popup?
Thanks,
Anthony Clark
Please ignore, bad copy and paste.
Version 22 of the ipa.conf (the second pasted config section) is the one that works correctly.
Is there a way to disable Kerberos browser-side popup password box in version 27 of the ipa.conf file?
Apologies for the confusion :(
On Sat, Dec 30, 2017 at 11:04 AM, Anthony Clark anthonyclarka2@gmail.com wrote:
In the previous versions of FreeIPA, this worked to disable the browser-side Kerberos login prompt:
# version 27 ipa.conf # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/"> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html
</If> WSGIProcessGroup ipa WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" </Location>
I've been asked to disable the password dialog popup because it is confusing to end users.
Before, in ipa.conf this worked to disable the dialog popup:
# version 22 ipa.conf # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/"> AuthType GSSAPI AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html
</If> WSGIProcessGroup ipa WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" </Location>
But inserting the "If useragent = chrome/ie" now just gives me a "forbidden" popup.
Does anyone know of a way to disable the browser's Kerberos password popup?
Thanks,
Anthony Clark
Anthony Clark via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Please ignore, bad copy and paste.
Version 22 of the ipa.conf (the second pasted config section) is the one that works correctly.
Is there a way to disable Kerberos browser-side popup password box in version 27 of the ipa.conf file?
My apache configuration knowledge is not deep enough to answer your question directly. However:
If I understand what you're asking: the error is caused by Windows browsers (chrome, IE, and edge but not firefox) not handling GSSAPI negotiate requests correctly. We have added a new feature to mod_auth_gssapi for this - set the environment variable
BrowserMatch Windows gssapi-no-negotiate
and Windows clients will not see the box.
(This feature was added in mod_auth_gssapi version 1.6.0, which is in fedora >= 27; this feature will also be a part of el7.5.)
Thanks, --Robbie
freeipa-users@lists.fedorahosted.org