Re: IE 9 not sending digest auth info

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



The solution was unexpected. See below.

On Tue, 23 Aug 2011, Paul Heinlein wrote:

I migrated our internal wiki server last week, and some IE users aren't able to authenticate.

The service is hosted by Apache using Digest authentication. It migrated from Apache 2.2.9 (Debian 5) to Apache 2.2.15 (CentOS 6). The internal hostname for the wiki server is a DNS CNAME that was repointed from one host to another during the cutover.

In a normal session,

1. Client sends GET
2. Server sends 401 with WWW-Authenticate header
3. Client sends GET with Authorization header
4. Server sends 200 with Authentication-Info header and page content

When using IE 9 (and possibly 8, I'm still trying to track that down),

1. Client sends GET
2. Server sends 401 with WWW-Authenticate header
3. Client resends GET (*without* Authorization header)
4. Server sends 401 with WWW-Authenticate header
5. Etc.

IE seems to be ignoring 401 and/or the WWW-Authenticate headers. Using Chrome on Windows works fine; the issues are specific to IE.

Any ideas? My google-fu has failed me.

This vexed me for many months. Most of my colleagues didn't mind
running Chrome or Firefox, both of which worked fine, but those who
had IE set as their default browser had to copy/paste links in e-mail
messages rather than just click on them.

I was revisiting the problem again today as a result of working on a
Windows 8 system for the first time. (Yeccchhh.)

I followed an unpromising link from a Google query:

   http://serverfault.com/questions/389514/apache-without-any-error-page

One responder mentioned that IE sometimes "knows better than the
server" when it comes to error pages. Hmm. Since Apache was providing
a 401 Authorization Required response, I somewhat desperately
commented out the ErrorDocument 401 directive in httpd.conf.

And that did the trick, though not for the reasons mentioned by the
poster in the link above.

I'll note that our server was setup such that authentication was
required for the entire virtual host (including, of course, the
/error/ tree). The Apache HTML response seemed to indicate dueling 401
errors. Here's the curl output, reformatted for readability:

   <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html>
     <head>
       <title>401 Authorization Required</title>
     </head>
     <body>
       <h1>Authorization Required</h1>
       <p>
         This server could not verify that you
         are authorized to access the document
         requested.  Either you supplied the wrong
         credentials (e.g., bad password), or your
         browser doesn't understand how to supply
         the credentials required.
       </p>
       <p>
         Additionally, a 401 Authorization Required
         error was encountered while trying to use
         an ErrorDocument to handle the request.
       </p>
       <hr>
       <address>Apache/2.2.15 (CentOS) Server ...</address>
     </body>
   </html>

And here's the corresponding WWW-Authenticate header, edited:

WWW-Authenticate:
   Digest realm="OUR REALM", nonce="qh...21",
   algorithm=MD5, domain="/", qop="auth",
   Digest realm="OUR REALM", nonce="qh...21",
   algorithm=MD5, domain="/", qop="auth"

Apache was sending the header with two copies of the key-value pairs, indicated by the "Additionally, a 401 ..." paragraph in the error reply. IE was the only browser that responded badly, so it was easy to look askance at Microsoft, but the problem is certainly more subtle than I originally imagined.

Once I commented out the ErrorDocument 401 directive, the second paragraph no longer showed up in curl output and the WWW-Authenicate header contained just one set of key-value pairs -- and IE worked fine.


--
Paul Heinlein
heinlein@xxxxxxxxxx
45°38' N, 122°6' W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux