Chrome does not seem to take GssapiNegotiateOnce into account

[noahboegli]

I have an issue with Google Chrome 86 (it happened on all the previous versions as well). When negotiate fails, it prompts the popup for credentials to the user, despite having the GssapiNegotiateOnce enabled. It works fine on Firefox.

The configuration for the problematic setup:

<Location /autologin>
                AuthType GSSAPI
                AuthName "Kerberos Autologin"
                GssapiCredStore keytab:/etc/httpd/conf/krb5.keytab
                GssapiAllowedMech krb5
                GssapiBasicAuth Off
                GssapiNegotiateOnce On
                Require valid-user
 </Location>

Thanks in advance.

[simo5]

GssapiNegotiateOnce changes mod_auth_gssapi beahvior to not send the WWW-Authenticate header on 401 response after a negotate attempt fails. If the browser still tries to do a negotiate anyway there isn't really much mod_auth_gssapi can do.

Can you check via developer tools that this behavior is happening, or do you see a WWW-Authenticate header being sent back even after a negotiate auth failed?

[noahboegli]

Thank you for the quick response.

When I access the /autologin location with an invalid (an expired one in this case), one request appears in the network console, at the same time as the credentials popup window appears

HTTP/1.1 401 Unauthorized
Date: Wed, 20 Oct 2021 13:36:31 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 PHP/7.4.18
WWW-Authenticate: Negotiate
X-Powered-By: PHP/7.4.18
Content-Length: 97
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

And then when I click cancel on the popup, another request containing the same response headers as the previous one, and then the 401 page appears.

Whereas, on firefox, only one request is made to /autologin and the 401 page appears immediately after the negotiation failed.

HTTP/1.1 401 Unauthorized
Date: Wed, 20 Oct 2021 13:41:33 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 PHP/7.4.18
WWW-Authenticate: Negotiate  [redacted base64 text]
X-Powered-By: PHP/7.4.18
Content-Length: 97
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[simo5]

Unfortunately this is browser behavior, we can only do so much from mod_auth_gssapi to influence how the browser behaves.
I suggest asking on Chrome/Chromium forums if there is any way to influence this behavior, and if ti can be done from the server (ragther than just via chrome/ium configuration, feel free to open an issue against this project to implement the workaround or tweak an existing one.

[noahboegli]

Alright, thanks for clarifying that it indeed does come from the browser.

Cheers