Issue 130512 in chromium: Chrome ignoring Negotiate and falling back to Basic authentication (kerberos)

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: OS-Linux Area-Undefined Type-Bug Pri-2

New issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate and
falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Chrome Version :19.0.1084.52 (Official Build 138391)>
OS Version: Linux (CentOS 6.2)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 10.x: OK
IE 7/8/9:
Chrome on Windows: OK

What steps will reproduce the problem?
1. Launch Chrome with:
google-chrome --proxy-pac-url=http://[company proxy]
--auth-server-whitelist="*" --auto-negotiate-delegate-whitelist="*"
2.Open up a non-Windows IIS website supporting kerberos authentication


What is the expected result?
Chrome uses Negotiate authentication for single sign on

What happens instead?
Chrome uses Basic authentication and pops up a username/password box.

Please provide any additional information below. Attach a screenshot if
possible.

Alternative startup parameters tested (with Quest VAS library):

google-chrome --proxy-pac-url=http://[company proxy]
--gssapi-library-name=/path/to/libvas-gssapi.so
--disable-auth-negotiate-cname-lookup --auth-server-whitelist="*"
--auto-negotiate-delegate-whitelist="*"

Forcing --auth-schemes="negotiate" works with IIS/KRB5 websites - logon is
automatic.

The same against an Apache/Quest-VAS/KRB5 website produces an error. Quest
support have checked our setup and found no errors.

Log output:

The server http://[servername]/ requested auth
Has header WWW-Authenticate: Negotiate
Has header WWW-Authenticate: Basic realm="IT Trac - VAS Basic Fallback"

VERBOSE1:http_auth.cc(44)] Unable to create AuthHandler. Status:
net::ERR_INVALID_RESPONSE Challenge: Negotiate

To summarize:
Firefox (Win/Linux) negotiates with IIS/Apache
Chrome (Win) negotiates with IIS/Apache
Chrome (Linux) only negotiates with IIS.

[chro...@googlecode.com]

Updates:
Status: Untriaged

Comment #2 on issue 130512 by cben...@chromium.org: Chrome ignoring

Negotiate and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #4 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

We're only using IPv4 on site.

[chro...@googlecode.com]

Comment #5 on issue 130512 by cben...@chromium.org: Chrome ignoring

Negotiate and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Given that this is ERR_INVALID_RESPONSE at that stage in http_auth.cc, it
is likely due to issues dlopen'ing/dlsym'ing libvas-gssapi.so

However, you mentioned that this authenticated to IIS sites. Did that work
when you specified --gssapi-library or without it?

Did you see "Unable to find a compatible GSSAPI library" in the log output?

[chro...@googlecode.com]

Comment #6 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Against an IIS/krb5 site

Using: (no gssapi library specified, and forcing auth to negotiate)

google-chrome --proxy-pac-url=http://wpad/wpad.dat
--auth-schemes="negotiate" --disable-auth-negotiate-cname-lookup
--auth-server-whitelist="*" --auto-negotiate-delegate-whitelist="*"
--enable-logging --v=1

1. kdestroy
klist (no credentials cache found)
google-chrome (with above flags) to IIS http://[servername]

Result: Fail
("You are not authorized to view this page")

Log:
7758:7786:1095563707531:VERBOSE1:http_auth_controller.cc(256)] The server

http://[servername]/ requested auth
Has header WWW-Authenticate: Negotiate

Has header WWW-Authenticate: NTLM
[7758:7786:1095563707745:VERBOSE1:http_auth.cc(44)] Unable to create
AuthHandler. Status: net::ERR_UNSUPPORTED_AUTH_SCHEME Challenge: NTLM
[7758:7786:1095563708021:VERBOSE1:http_auth_gssapi_posix.cc(766)]
import_name returned 0x0
[7758:7786:1095563714313:VERBOSE1:http_auth_gssapi_posix.cc(793)]
init_sec_context returned 0xd0000
[7758:7786:1095563714380:ERROR:http_auth_gssapi_posix.cc(896)] Problem
initializing context.
Major: (0x000D0000) Unspecified GSS failure. Minor code may provide more
information | Minor: (0x96C73AC3) Credentials cache file '/tmp/krb5cc_2351'
not found
Unable to describe context 0x(nil), Major: (0x01080000) A required input
parameter could not be read No context has been established | Minor:
(0x00000000) Unknown error

2. kdestroy
klist (no credentials cache found)
kinit - with password
klist (Service principal krbtgt/...etc)
google-chrome (with above flags) to IIS http://[servername]

Result: Success (automatically logs in)
(klist shows correct krbgtgt/ and http/ tickets)

Log:
[9535:9566:1095892102902:VERBOSE1:http_auth_controller.cc(256)] The server
http://changegear/ requested auth
Has header WWW-Authenticate: Negotiate
Has header WWW-Authenticate: NTLM
[9535:9566:1095892102968:VERBOSE1:http_auth.cc(44)] Unable to create
AuthHandler. Status: net::ERR_UNSUPPORTED_AUTH_SCHEME Challenge: NTLM
[9535:9566:1095892103184:VERBOSE1:http_auth_gssapi_posix.cc(766)]
import_name returned 0x0
[9535:9566:1095892108702:VERBOSE1:http_auth_gssapi_posix.cc(793)]
init_sec_context returned 0x0

[chro...@googlecode.com]

Comment #7 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Against an IIS/krb5 site

Using: (no gssapi library specified, and forcing auth to negotiate)

google-chrome --proxy-pac-url=http://wpad/wpad.dat
--auth-schemes="negotiate" --disable-auth-negotiate-cname-lookup
--auth-server-whitelist="*" --auto-negotiate-delegate-whitelist="*"
--enable-logging --v=1

1. kdestroy
klist (no credentials cache found)
google-chrome (with above flags) to IIS http://[servername]

Result: Fail ("You are not authorized to view this page")

(klist shows no extra tickets)

[chro...@googlecode.com]

Comment #8 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Against an Apache/krb5 site

Using: (no gssapi library specified, and forcing auth to negotiate)

google-chrome --proxy-pac-url=http://wpad/wpad.dat
--auth-schemes="negotiate" --disable-auth-negotiate-cname-lookup
--auth-server-whitelist="*" --auto-negotiate-delegate-whitelist="*"
--enable-logging --v=1

1. kdestroy
klist (no credentials cache found)

google-chrome (with above flags) to Apache http://[servername2]

Result: Fail ("Authorization Required / This server could not verify that
you are authorized to access the document requested. Either you supplied
the wrong credentials (e.g., bad password), or your browser doesn't
understand how to supply the credentials required.")
(klist shows no tickets)

Log:
[11053:11077:1096168536302:VERBOSE1:http_auth_controller.cc(256)] The
server http://[servername2]/ requested auth
Has header WWW-Authenticate: Negotiate

Has header WWW-Authenticate: Basic realm="IT Trac - VAS Basic Fallback"

[11053:11077:1096168539454:VERBOSE1:http_auth.cc(44)] Unable to create
AuthHandler. Status: net::ERR_UNSUPPORTED_AUTH_SCHEME Challenge: Basic

realm="IT Trac - VAS Basic Fallback"

[11053:11077:1096168539985:VERBOSE1:http_auth_gssapi_posix.cc(766)]
import_name returned 0x0
[11053:11077:1096168542683:VERBOSE1:http_auth_gssapi_posix.cc(793)]
init_sec_context returned 0xd0000
[11053:11077:1096168542748:ERROR:http_auth_gssapi_posix.cc(896)] Problem

initializing context.
Major: (0x000D0000) Unspecified GSS failure. Minor code may provide more
information | Minor: (0x96C73AC3) Credentials cache file '/tmp/krb5cc_2351'
not found
Unable to describe context 0x(nil), Major: (0x01080000) A required input
parameter could not be read No context has been established | Minor:
(0x00000000) Unknown error

2. kdestroy
klist (no credentials cache found)
kinit - with password

klist (single service prinicpal krbtgt/... etc)
google-chrome (with above flags) to Apache http://[servername2]

Result: Fail ("Authorization Required / This server could not verify that
you are authorized to access the document requested. Either you supplied
the wrong credentials (e.g., bad password), or your browser doesn't
understand how to supply the credentials required.")
(klist shows only existing krbtgt/ principal and one new http/ ticket but
missing krbtgt/[servername2 domain] entry)

Log:
[12116:12140:1096361584190:VERBOSE1:http_auth_controller.cc(256)] The
server http://[servername2]/ requested auth
Has header WWW-Authenticate: Negotiate

Has header WWW-Authenticate: Basic realm="IT Trac - VAS Basic Fallback"

[12116:12140:1096361586817:VERBOSE1:http_auth.cc(44)] Unable to create
AuthHandler. Status: net::ERR_UNSUPPORTED_AUTH_SCHEME Challenge: Basic

realm="IT Trac - VAS Basic Fallback"

[12116:12140:1096361587502:VERBOSE1:http_auth_gssapi_posix.cc(766)]
import_name returned 0x0
[12116:12140:1096361607002:VERBOSE1:http_auth_gssapi_posix.cc(793)]
init_sec_context returned 0x0

[chro...@googlecode.com]

Comment #9 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

(klist shows existing krbtgt/ principal and one new http/ ticket for
[servername2] but fails to authenticate)

[chro...@googlecode.com]

Comment #10 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

In every case (2) I get the krbtgt/ for the domain in question and also an
http/ ticket based on the cname of the webserver involved, however all the
Apache/linux servers tested still fail to authenticate and fall back
to 'basic'

[chro...@googlecode.com]

Comment #11 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Behaviour still seen in Chrome v20.0.1132.43

[chro...@googlecode.com]

Comment #12 on issue 130512 by csc4...@gmail.com: Chrome ignoring Negotiate

and falling back to Basic authentication (kerberos)
http://code.google.com/p/chromium/issues/detail?id=130512

Having removed the Quest-VAS authentication from the website and using a
standard Apache/Kerberbos config, viz:

<location "/trac/login">
#AuthType VAS
#AuthName "VAS Basic Fallback"
#Require unix-group software
#AuthVasUseBasic on
#AuthVasRemoteUserMap local
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms XXX.YYY.ZZZ
require valid-user
Krb5KeyTab /etc/httpd/conf/httpd.keytab
</Location>

I am now able to login using Chrome on both Linux and Windows.

Therefore as the bug appears to be in the VAS library and not Chrome I'm
happy for this case to be closed as NOTABUG.

Thanks