You are here: Foswiki>Tasks Web>Item15072 (14 Mar 2022, MichaelDaum)Edit Attach

Item15072: kerberos auth LdapContrib - Foswiki::LoginManager::KerberosLogin failing to initiate login process with Chrome 100+ and Firefox

pencil
Priority: Normal
Current State: New
Released In: n/a
Target Release: n/a
Applies To: Extension
Component:
Branches:
Reported By: MattGrant
Waiting For:
Last Change By: MichaelDaum
Hi!

The bug is this: the status setting in TemplateLogin->login() is overwriting the status => 401 from KerberosLogin->getUser() with 200, and preventing the start of the WWW--Authenticate: Negotiate browser handshake.

Difference between my patch being there is like a light switch - with it KerberosLogin works, without it just no logins as documented. (Both server and client have functioning Kerberos setups on the same domain for ssh, NFS, and Samba CIFs)

Been trying all day to get LdapContrib kerberos login going with recent Google Chrome and Firefox on Linux Debian Bullseye. After setting AuthServerWhitelist and AuthServerDelegateWhitelist in Chrome policy the Linux broswers are failing to generate Authorization headers with tickets when presented with a HTTP status result code of 200 and a WWW-Authenticate: negotiate header... Did not find any accesses to /tmp/krb5cc_uid files in strace either, Browsers not even trying

The username check is just to make the patch a logical analogue of the logic in TemplateLogin->login(), where the initial HTML display generation status code of 200 overrides the 401 needed for the Kerberos login handshake from KerberosLogin->getUser(). From my Python website programming, I am quite aware that missing small details can mess up other things unintentionally, Web stacks are such an interdependent layer cake. Just don't want to mess up the form result processing from delegating to LdapTemplateLogin->login(), and from reading the comments on status code setting in (Ldap)TemplateLogin->login(), don't want to mess up the case where kerberos login is used with username/password login, and getting the password wrong.

-- MattGrant - 14 Mar 2022

Added patch that makes LdapContrib Foswiki::LoginManager:KerberosLogin work. The login() method has to add headers after calling (Ldap)TemplateLogin->login() to kick the browser to start Kerberos Auth negotiation.

-- MattGrant - 13 Mar 2022

This patch definitely is not correct. Please make sure that {LoginManager} is set to KerberosLogin.

I think a clarification of what kerberos based single sign on is doing is required, roughly:

  • browser requests server
  • server replies with 404 WWW-Authenticate' => 'Negotiate
  • if a kerberos env has been initialized by the user -> new browser request this time with a HTTP Negotiate header containing the kerberos ticket
  • server processes kerberos ticket extracted from Negotiate header
    • if it is not a proper kerberos ticket -> FALLBACK to template login
    • server validates security context of kerberos ticket using its own keytab as provided by the identity provider (LDAP or Active Directory)
    • if valid -> extract username from kerberos ticket -> AUTHENTICATED
    • if invalid -> FALLBACK to template login
  • if no kerberos ticket is present at the user end -> new request to server -> FALLBACK to tempalte Login

Note that whenever you see the template login the kerberos handshake failed:
  • either there is no kerberos ticket within the environment running the browser (kinit missing)
  • or the foswiki server is not matching the kerberos ticket's domain's
  • or the browser is not configured to present the kerberos ticket even though present in the env
  • or there is a proxy sitting inbetween the browser and the server
  • or the connection isn't secure (https)
  • or the keytab on the server side is invalid such as wrong encryption etc etc etc (most common reason)
  • the foswiki server is not able to connect to the identitiy provider (network error)

Hope that clears the general picture. Your patch actually tries to reiterate kerberos login after template login has been reached as a fallback. This actually means kerberos login failed in the first place. If it didn't no template login would be presented.

-- MichaelDaum - 14 Mar 2022
 

ItemTemplate edit

Summary kerberos auth LdapContrib - Foswiki::LoginManager::KerberosLogin failing to initiate login process with Chrome 100+ and Firefox
ReportedBy MattGrant
Codebase
SVN Range
AppliesTo Extension
Component
Priority Normal
CurrentState New
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
I Attachment Action Size Date Who Comment
Foswiki-KerberosLogin.patchpatch Foswiki-KerberosLogin.patch manage 737 bytes 13 Mar 2022 - 04:45 MattGrant Patch for KerberosLogin from LdapContrib to make it work on Foswiki 2.1.7
Topic revision: r4 - 14 Mar 2022, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy