Hi, I am not sure I understand what you mean. The below screenshot should be the first thing you see when you go to https://ipaserver.com/ipa/ui/ (unless you need to accept the security exception if the CA is not trusted yet by the browser).
Is a custom configuration applied to the http instance (for instance in /etc/httpd/conf/httpd.conf)? flo On Tue, Sep 21, 2021 at 2:13 PM Per Qvindesland via FreeIPA-users < [email protected]> wrote: > Hi > > There is one thing that i have never really understood, when a user goes > to https://ipaserver.com/ipa/ui/ he/she get's a Apache login prompt and > has to click cancel a coulple of times before getting to the Ipa login > screen. > > It seems to be caused by /etc/httpd/conf.d/ipa.conf which has the > configuration below, why is that even there when it's not even logging > users into Ipa? > ' > Regards > Per > > > > <Location "/ipa"> > AuthType GSSAPI > AuthName "Kerberos Login" > GssapiUseSessions On > Session On > SessionCookieName ipa_session path=/ipa;httponly;secure; > SessionHeader IPASESSION > # Uncomment the following to have shorter sessions, but beware this may > break > # old IPA client tols that incorrectly parse cookies. > # SessionMaxAge 1800 > GssapiSessionKey file:/etc/httpd/alias/ipasession.key > > GssapiImpersonate On > GssapiDelegCcacheDir /run/ipa/ccaches > GssapiDelegCcachePerms mode:0660 > GssapiDelegCcacheUnique On > GssapiUseS4U2Proxy on > GssapiAllowedMech krb5 > Require valid-user > ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > Header always append X-Frame-Options DENY > Header always append Content-Security-Policy "frame-ancestors 'none'" > > # mod_session always sets two copies of the cookie, and this confuses our > # legacy clients, the unset here works because it ends up unsetting only > one > # of the 2 header tables set by mod_session, leaving the other intact > Header unset Set-Cookie > > # Disable etag http header. Doesn't work well with mod_deflate > # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 > # Usage of last-modified header and modified-since validator is > sufficient. > Header unset ETag > FileETag None > </Location> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
