New issue
Advanced search Search tips

Issue 727148 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Oct 5
Cc:
ricea@chromium.org
jbanavatu@chromium.org
asanka@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Server sends only WWW-Authenticate:Negotiate (not Basic) and chrome still presents a password dialog

Reported by chanli...@googlemail.com, May 28 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0

Steps to reproduce the problem:
Open https://iqwiki.iqo.uni-hannover.de/testneg/

What is the expected behavior?
You likely do not have Kerberos credentials for our kerberos realm and very likely have not configured our wiki as a trusted site in the IE settings, so you should just see a login screen which is delivered as the content of the HTTP resonse. 

What went wrong?
The server sends a 401 and WWW-Authenticate:Negotiate. If the client cannot do Kerberos negotiate auth, it should just display the content received and not present any dialog boxes. Instead, it presents a dialog box as for basic auth. 

Did this work before? No 

Does this work in other browsers? Yes

Chrome version: 58.0.3029.110 (64-bit)  Channel: stable
OS Version: 7
Flash Version: 

This might be related to 

https://bugs.chromium.org/p/chromium/issues/detail?id=133254 

and 

https://bugs.chromium.org/p/chromium/issues/detail?id=504381

Using the chromium that ships with debian stable, I do not observe the issue. On windows, if I do configure our site as a trusted site in the IE settings and enable auto-logon for trusted sites, the dialog box goes away, but negotiate auth does still not work.

Comment 1 by jbanavatu@chromium.org, May 30 2017

Cc: jbanavatu@chromium.org
Components: UI>Settings
Labels: M-60
Status: Untriaged (was: Unconfirmed)
Able to reproduce on Windows-10 & 7 using chrome stable M58-58.0.3029.110 and latest M60-60.0.3114.0 
This is Non-regression issue seen from M-35. So, marking it as Untriaged to get more inputs from dev team.

Thanks!

Comment 2 by foolip@chromium.org, Sep 20

Cc: ricea@chromium.org
The page still sends a WWW-Authenticate:Negotiate header, and I do see the dialog on Chrome Canary for Windows 10 still. Not on Linux or Mac, however.

Edge for Windows also shows the dialog. Firefox for Windows and Safari for macOS does not.

This all seems quite inconsistent, and I don't know what the correct answer is.

ricea@, this seems a bit similar to issue 504024, can you help triage?

Comment 3 by ricea@chromium.org, Sep 20

Cc: asanka@chromium.org
Components: -UI>Settings Internals>Network>Auth
+asanka is this behaviour expected?

Comment 4 by asanka@chromium.org, Oct 5

Status: WontFix (was: Untriaged)
Negotiate doesn't necessarily mean Kerberos. Chrome currently doesn't restrict the underlying platform or authentication library from picking out whichever mechanism they see fit.

On Windows, this means that NTLM remains an option. NTLM is also an option on macOS if you configure it.

Either way, the reason you see a prompt on Windows with both Edge and Chrome is that SSPI supports NTLM with explicit credentials.

On Linux, Chrome OS, and macOS (with no NTLM configuration) the underlying libraries don't support explicit credentials. So there's no prompt.

Sign in to add a comment