Florence Renaud via FreeIPA-users wrote: > Hi, > I am not sure I understand what you mean. The below screenshot should be > the first thing you see when you go to https://ipaserver.com/ipa/ui/ > (unless you need to accept the security exception if the CA is not > trusted yet by the browser). > > Is a custom configuration applied to the http instance (for instance in > /etc/httpd/conf/httpd.conf)?
IIRC some browsers, notably on Windows, when the initial GSSAPI handshake fails because there is no ticket, may either throw an error because they are trying NTLM auth or don't understand the basic fallback. What browser(s) are you seeing the issue on? Note that this particular block protects all of /ipa auth (CLI, UI, etc) so it is not something we recommend disabling or tweaking. rob > flo > > On Tue, Sep 21, 2021 at 2:13 PM Per Qvindesland via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > Hi > > There is one thing that i have never really understood, when a user > goes to https://ipaserver.com/ipa/ui/ he/she get's a Apache login > prompt and has to click cancel a coulple of times before getting to > the Ipa login screen. > > It seems to be caused by /etc/httpd/conf.d/ipa.conf which has the > configuration below, why is that even there when it's not even > logging users into Ipa? > ' > Regards > Per > > > > <Location "/ipa"> > AuthType GSSAPI > AuthName "Kerberos Login" > GssapiUseSessions On > Session On > SessionCookieName ipa_session path=/ipa;httponly;secure; > SessionHeader IPASESSION > # Uncomment the following to have shorter sessions, but beware > this may break > # old IPA client tols that incorrectly parse cookies. > # SessionMaxAge 1800 > GssapiSessionKey file:/etc/httpd/alias/ipasession.key > > GssapiImpersonate On > GssapiDelegCcacheDir /run/ipa/ccaches > GssapiDelegCcachePerms mode:0660 > GssapiDelegCcacheUnique On > GssapiUseS4U2Proxy on > GssapiAllowedMech krb5 > Require valid-user > ErrorDocument 401 /ipa/errors/unauthorized.html > WSGIProcessGroup ipa > WSGIApplicationGroup ipa > Header always append X-Frame-Options DENY > Header always append Content-Security-Policy "frame-ancestors 'none'" > > # mod_session always sets two copies of the cookie, and this > confuses our > # legacy clients, the unset here works because it ends up > unsetting only one > # of the 2 header tables set by mod_session, leaving the other intact > Header unset Set-Cookie > > # Disable etag http header. Doesn't work well with mod_deflate > # https://issues.apache.org/bugzilla/show_bug.cgi?id=45023 > # Usage of last-modified header and modified-since validator is > sufficient. > Header unset ETag > FileETag None > </Location> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
