SPNEGO unavailability and error handling
Simon Lundström
simlu at su.se
Mon Sep 30 01:43:01 EDT 2019
On Fri, 2019-09-27 at 14:46:14 +0200, Simon Lundström wrote:
>On Fri, 2019-09-27 at 08:24:49 +0200, Daniel Lutz wrote:
>>Wessel, Keith [26.09.19 22:50]:
>>> 1. The wiki is pretty clear about the potential negative user experience in Internet Explorer for users on devices not joined to the domain. It doesn't mention the user experience in other browsers, though. Does anyone know if other browsers simply report SPNEGO being unavailable and the IdP immediately displays the spnego-unavailable template?
>>
>>Other browsers like Firefox, Chrome and Safari are not affected. They
>>just return an "Unauthorized" error to the IdP, so the IdP can handle
>>this cleanly. (I've just put a short note to the documentation in the
>>section "Configuration of an Activation Condition".)
>>
>>I don't know if Edge is affected, I can't test this myself.
>
>Good news everyone!
>
>I forced one of my co-workers to test with both Edge, EdgeHTML-based,
>and Edge Chromium-base on a computer which is joined to our AD (which
>currently isn't cross-realmed with our KDC where the IDP "lives") and
>both of them tried NTLM and both failed with the ntlm.message message
>and no ugly popup ala IE.
Uh, scratch that. Edge and Edge Dev (the Chromium-based one) from a
non-AD joined machine still shows a User/Password dialog when pressing
the SPNEGO button.
/idp/profile/Authn/SPNEGO gives a:
WWW-Authenticate: Negotiate
but Edge still pops the prompt. When submitting a user and password it
tries NTLM.
BR,
- Simon
More information about the users
mailing list