Password prompt when only Negotiate/kerberos is available
Reported by
48151623...@gmail.com,
Jul 12 2017
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Steps to reproduce the problem: 1. Open an internal site using GSSAPI that you do not have access to 2. Get prompted for username and password What is the expected behavior? To simply be shown the access denied page What went wrong? Browser prompted for a username and password, where none can be used Did this work before? No Chrome version: 59.0.3071.115 Channel: stable OS Version: 2016 Flash Version: See Issue 504381
,
Jul 12 2017
,
Jul 12 2017
This one is interesting. We currently don't have a way to disable prompting for Negotiate. It's almost always going to use NTLM under the hood and is probably not what folks wanted to use in the first place.
,
Aug 8 2017
We're facing the same issue. The popup was shown also to user outside our organization, as such we are removing the WWW-Authenticate header for outside customers. If you can specify an IP, I should be able to arrange a test (via exception).
,
Aug 28 2017
I don't have any websites handy exposed to the internet with negotiate:kerberos the only acceptable method, and nobody really ought to have that either. But it should be trivial enough to set up a lab environment with a vm hosting a full stack with AD and IIS. If you are unable to set one up in your lab, let me know and I will see if I can set up a dummy box for you, somewhere. It seems that IE has the same bug, btw.. only firefox correctly handles this scenario and does not prompt for a username/password. Sorry about my belated response, but I don't use gmail, so I never saw the question.
,
Aug 28 2017
Some additional information: Our servers do not allow NTLM auth, only kerberos. We have an IIS webfarm set up to only allow windows authentication with the Negotiate:Kerberos provider as the only option. We also have kernel mode disabled and run the website under a custom application pool, running under a dedicated domain user account, that has an SPN http/service.example.com registered in AD.
,
Aug 28 2017
I have changed my google account to use my actual email rather than my defunct gmail box.
,
Sep 11 2017
Yeah, the problem here is that the initial negotiate challenge from the server doesn't indicate which mechanisms are supported. There's no token. So the UA has to optimistically build a negotiate message using whichever credentials are available locally. If the UA is on a Windows machine, then Chrome will try to use explicit credentials with whichever mechanism the OS is willing to use with the server, which is almost always NTLM in this scenario. Of course that's ultimately not going to work since the server only accepts GSSAPI/Kerberos. In the netlog in #0, I see an attempt at an authentication handshake using ambient or cached credentials. Can you comment on which it was?
,
Sep 11 2017
,
Sep 25 2017
reporter: Can you answer the question in comment 9?
,
Oct 11 2017
Archiving bug due to lack of response from the bug creator. 4815162342.mn@, please create a new bug if you have further updates. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ligim...@chromium.org
, Jul 12 2017Labels: Needs-Triage-M59