SPNEGO unavailability and error handling

Simon Lundström simlu at su.se
Mon Sep 30 01:43:01 EDT 2019

On Fri, 2019-09-27 at 14:46:14 +0200, Simon Lundström wrote:
>On Fri, 2019-09-27 at 08:24:49 +0200, Daniel Lutz wrote:
>>Wessel, Keith [26.09.19 22:50]:
>>> 1. The wiki is pretty clear about the potential negative user experience in Internet Explorer for users on devices not joined to the domain. It doesn't mention the user experience in other browsers, though. Does anyone know if other browsers simply report SPNEGO being unavailable and the IdP immediately displays the spnego-unavailable template?
>>Other browsers like Firefox, Chrome and Safari are not affected. They
>>just return an "Unauthorized" error to the IdP, so the IdP can handle
>>this cleanly. (I've just put a short note to the documentation in the
>>section "Configuration of an Activation Condition".)
>>I don't know if Edge is affected, I can't test this myself.
>Good news everyone!
>I forced one of my co-workers to test with both Edge, EdgeHTML-based,
>and Edge Chromium-base on a computer which is joined to our AD (which
>currently isn't cross-realmed with our KDC where the IDP "lives") and
>both of them tried NTLM and both failed with the ntlm.message message
>and no ugly popup ala IE.

Uh, scratch that. Edge and Edge Dev (the Chromium-based one) from a 
non-AD joined machine still shows a User/Password dialog when pressing 
the SPNEGO button.

/idp/profile/Authn/SPNEGO gives a:
WWW-Authenticate: Negotiate
but Edge still pops the prompt. When submitting a user and password it 
tries NTLM.

- Simon

More information about the users mailing list