SPNEGO unavailability and error handling

Simon Lundström simlu at su.se
Fri Sep 27 08:46:14 EDT 2019

On Fri, 2019-09-27 at 08:24:49 +0200, Daniel Lutz wrote:
>Wessel, Keith [26.09.19 22:50]:
>> 1. The wiki is pretty clear about the potential negative user experience in Internet Explorer for users on devices not joined to the domain. It doesn't mention the user experience in other browsers, though. Does anyone know if other browsers simply report SPNEGO being unavailable and the IdP immediately displays the spnego-unavailable template?
>Other browsers like Firefox, Chrome and Safari are not affected. They
>just return an "Unauthorized" error to the IdP, so the IdP can handle
>this cleanly. (I've just put a short note to the documentation in the
>section "Configuration of an Activation Condition".)
>I don't know if Edge is affected, I can't test this myself.

Good news everyone!

I forced one of my co-workers to test with both Edge, EdgeHTML-based, 
and Edge Chromium-base on a computer which is joined to our AD (which 
currently isn't cross-realmed with our KDC where the IDP "lives") and 
both of them tried NTLM and both failed with the ntlm.message message 
and no ugly popup ala IE.

So I, for one, welcome our new IE-less future.

- Simon


Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden


More information about the users mailing list