Issue metadata
Sign in to add a comment
|
Negotiate (Kerberos/NTLM) not supported in --headless mode
Reported by
j...@bluesky-it.ch,
Aug 14 2017
|
||||||||||||||||||||||||
Issue description
Chrome Version : 60.0.3112.90 (with --headless option)
Other browsers tested:
Chrome: 60.0.3112.90 (without --headless option) OK
What steps will reproduce the problem?
(1) Be inside a Windows/Active Directory domain
(2) Get a standard Debian VM running, install google-chrome-stable and krb5-user
(3) Configure Kerberos in /etc/krb5.conf to match your AD domain (realm = uppercase domain, KDC = Domain controller)
(4) Configure the AuthSchemes and AuthServerWhitelist policies for your domain (based on https://www.chromium.org/administrators/linux-quick-start)
(5) Get a TGT from the KDC: kinit user@REALM
(6) Perform a request on a resource that requires Negotiate authentication against the AD domain: google-chrome-stable --headless --disable-gpu <protected resource>
What is the expected result?
- Chrome receives a 401 response with a Negotiate authentication challenge (WWW-Authenticate: Negotiate)
- As the Negotiate scheme is whitelisted for this domain, chrome proceeds with SPNEGO authentication
- The protected resource is displayed
What happens instead?
In GUI Chrome: works perfectly
In Headless Chrome:
- No new request is issued after the initial 401 response
- The page displayed is the server's 401 error page
- The following log appears:
[VERBOSE1:http_auth.cc(47)] Unable to create AuthHandler. Status: net::ERR_INVALID_RESPONSE Challenge: Negotiate
The use case for Negotiate in headless mode is for a CI server testing an Angular app, which uses a .NET backend served by IIS and protected by AD authentication over Negotiate/Kerberos. The idea would be to login non-interactively (kinit with keytab file) at the beginning of an e2e test run, and have chrome use these credentials when performing the backend calls.
Please let me know if any more information is needed, thanks.
,
Aug 15 2017
A net-export log may be helpful: http://dev.chromium.org/for-testers/providing-network-details
,
Aug 15 2017
Attached: net-export log from a headless session.
,
Aug 16 2017
@TE-NeedsTriageHelp--Requesting traige help from dev , as it is unable to traige from TE end. Thanks!
,
Aug 20 2017
Thanks, merging this issue into crbug/741872 |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by manoranj...@chromium.org
, Aug 14 2017Labels: Pri-2 Type-Bug