SPNEGO unavailability and error handling

Simon Lundström simlu at su.se
Fri Sep 27 08:50:48 EDT 2019

On Thu, 2019-09-26 at 22:50:59 +0200, Wessel, Keith wrote:
> […]
>2. Is there any easy way to get the IdP to simply display the IdP login page (fall through to the password authentication flow) if SPNEGO is unavailable? I know easy is relative, but I''m at a loss of any way to do it at all other than the activation conditions one can associate with the SPNEGO flow. For us, limiting to IP space is far from sufficient since we have so many devices not joined to the domain on our network.

We have a terrible hack via the mod_auth_gssapi Apache module for 
"whitelisted" browsers but it seems that when IE dies, as per my other 
mail in this thread to Daniel, we can discontinue it.

I have also "blacklisted" Chrome from SPNEGO so I can use it for testing 
the UserPassword flow without kdestroy/disabling SPNEGO in Chrome/other 
hacks. But don't tell anyone! ; P

- Simon

More information about the users mailing list