New configuration with Negotiate module, asking for basic authentication

[mweber.subscriptions01]

I've recently installed SimpleSAMLPHP 1.14.8 and have configured the LDAP authentication module, and it's functioning perfectly. However, the end goal was to have SSO/SPNEGO against our Active Directory, and that requires the Negotiate module.

I've configured everything I needed for the Negotiate module, and even solved a few configuration issues along the way from leaving out values like "hostname" and "base" (I didn't want it to fail over to LDAP and make me think it actually worked, so I left them out deliberately), which hard-failed the testing of the authentication source.  So, I put them in, and the errors are gone.

The problem I have now is that when I attempt to test the configured Negotiate module authentication source from the simplesamlphp test page, the first thing I get is a basic authentication prompt, which never succeeds, and if I cancel, it falls back to LDAP, which works.

I would think that I should never see the basic authentication dialog, and if I'm not at a domain-authenticated workstation, I would see the LDAP authentication page.  Am I right with this one?

Also, I've checked that all the Kerberos pieces on the server function correctly, and they do.

I've turned on debugging, but I'm not seeing anything in the debug file that sticks out as a problem.

Does anyone have any ideas or know of anything painfully obvious that I may have missed?

Here's my debug file (sanitized a bit):

Sep 14 22:04:11 simplesamlphp DEBUG [27c577a69d] Session: 'WAI-KRB' not valid because we are not authenticated.

Sep 14 22:04:11 simplesamlphp DEBUG [27c577a69d] Negotiate - authenticate(): looking for Negotate

Sep 14 22:04:11 simplesamlphp DEBUG [27c577a69d] Negotiate - authenticate(): Sending Negotiate.

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Negotiate - fallback: WAI-LDAP

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Saved state: '_48e22b05c2db3bb8ce31dde3b0d035a527e2169423:https://domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fdomain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Session: 'WAI-KRB' not valid because we are not authenticated.

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Negotiate - authenticate(): looking for Negotate

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Negotiate - authenticate(): Sending Negotiate.

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Negotiate - fallback: WAI-LDAP

Sep 14 22:04:12 simplesamlphp DEBUG [27c577a69d] Saved state: '_dd3103829e4a8153c6c3c64bd5e7d10bb4117108ff:https://domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fdomain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

Sep 14 22:04:19 simplesamlphp DEBUG [27c577a69d] Session: 'WAI-KRB' not valid because we are not authenticated.

Sep 14 22:04:19 simplesamlphp DEBUG [27c577a69d] Negotiate - authenticate(): looking for Negotate

Sep 14 22:04:19 simplesamlphp DEBUG [27c577a69d] Negotiate - authenticate(): Sending Negotiate.

Sep 14 22:04:19 simplesamlphp DEBUG [27c577a69d] Negotiate - fallback: WAI-LDAP

Sep 14 22:04:19 simplesamlphp DEBUG [27c577a69d] Saved state: '_262cc68aa48f3ab4eab36cf2937ec74258050f24a6:https://domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fdomain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

Sep 14 22:04:21 simplesamlphp DEBUG [27c577a69d] backend - fallback: WAI-LDAP

Sep 14 22:04:21 simplesamlphp DEBUG [27c577a69d] Saved state: '_262cc68aa48f3ab4eab36cf2937ec74258050f24a6:https://domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fdomain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

Sep 14 22:04:21 simplesamlphp DEBUG [27c577a69d] Loading state: '_262cc68aa48f3ab4eab36cf2937ec74258050f24a6:https://domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fdomain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

Sep 14 22:04:21 simplesamlphp DEBUG [27c577a69d] Template: Reading [/Volumes/WAIDisk0/Library/Server/Web/Data/Sites/simplesamlphp/dictionaries/login]

Sep 14 22:04:22 simplesamlphp DEBUG [27c577a69d] Loading state: '_262cc68aa48f3ab4eab36cf2937ec74258050f24a6:https://domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fdomain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

[Jaime Perez Crespo]

Hi,

You are using Internet Explorer, right? If that’s the case, I’d say it’s IE’s fault. That’s a known (bogus) behaviour of IE when it is not configured to use SPNEGO or it fails, so that it falls back to NTLM authentication even when that is disabled and will never work. So if you configure your browser to use kerberos authentication and it works, then login is automatic, but if you don’t have it properly configured or SPNEGO fails for some reason, then you’ll get a wonderful basic authentication popup window that won’t ever work.

> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.

--
Jaime Pérez
UNINETT / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Michael A Weber]

Yes, I’ve tried with IE, Chrome, Edge, and Firefox.

IE, Edge, and Chrome all fail the same way: basic auth prompt that never works.

Firefox just fails over to LDAP.

Any hints or ideas?

Mike

[Garry Booth]

Hi

We had the same problem. I think we resolved it (for varying values of “resolved"), by making sure our IdP was listed in Local Intranet Zone rather than Trusted Sites, in the IE security settings.
hth

regards
Garry

[Peter Schober]

* Garry Booth <G.B...@lboro.ac.uk> [2016-09-15 15:39]:

> We had the same problem. I think we resolved it (for varying values
> of “resolved"), by making sure our IdP was listed in Local Intranet
> Zone rather than Trusted Sites, in the IE security settings.

Well, that's always necessary for negotiate to work (except for
Safari). Cf. that (very) old wiki page for details for each browser:
https://wiki.shibboleth.net/confluence/display/SHIB2/Single+sign-on+Browser+configuration
A quick web search should get you (more) current instructions.
-peter

[Nate Klingenstein]

Is there really a practical way to use SPNEGO in a large-scale
university environment?

I'm staring at instructions asking users to go to about:config in
Firefox and invincible basic auth boxes in IE. The fallback behavior
is a protocol from Windows NT that Microsoft called on people to
abandon in 2006. I have 500,000 users scattered over 25 IdP's that
are, at best, loosely coordinated.

https://blogs.technet.microsoft.com/authentication/2006/04/07/ntlms-time-has-passed/

[Michael A Weber]

Garry—

Yeah, unfortunately, I’ve tried that one, too, on different machines, and different versions of IE. And, it’s secured via SSL, and still no love.

Thanks, though. Hopefully there will be other ideas!

Mike

[Michael A Weber]

On Sep 15, 2016, at 11:48 AM, Peter Schober <peter....@univie.ac.at> wrote:

https://wiki.shibboleth.net/confluence/display/SHIB2/Single+sign-on+Browser+configuration

Peter—

Yep…  been over that page as well.

I’ve been googling my face off, with no additional ideas.  I tend to use resources like the forums as a last resort.

Any other ideas?

Mike

[Michael A Weber]

> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.

Well, in your situation, probably not. However, I’m not doing this for a large-scale university environment. It’s a small business with not a lot of administrative support (by me, of course), and I’m trying to keep it that way, but every additional tool brings on more administrative headache which I would like to minimize.

However, SAML in your situation is an excellent addition, I’m sure!

Mike

[Peter Schober]

* Nate Klingenstein <n...@sudonym.me> [2016-09-16 02:58]:

> Is there really a practical way to use SPNEGO in a large-scale

> university environment? [...]

> I'm staring at instructions asking users to go to about:config in
> Firefox and invincible basic auth boxes in IE.

There are certain tricks to detect whether negotiate will likely work
that allow to offer negotiate only when it's likely to work, the Shib
wiki documents a few of those:
https://wiki.shibboleth.net/confluence/display/IDP30/SPNEGOAuthnConfiguration

I guess whether that's doable at least partly depends on the attitude
and capabilities wrt "managed workstations", i.e., rolling out config
changes automagically.

For Firefox you'll probably roll your own ESR-based release including
whatever config changes you want
https://www.mozilla.org/en-US/firefox/organizations/faq/
and M$ desktops are often already remotely managed to some degree.

-peter

[Michael A Weber]

On Sep 15, 2016, at 4:14 AM, Jaime Perez Crespo <jaime...@uninett.no> wrote:

Jaime—

I’ve been doing some digging around this issue as I really would like to get it working, and I’m still beating my head against the wall.

On the IdP server, which is also the SP, I’ve tested my Kerberos config with kinit using the correct keytab file, and it is successful (sanitized):

sudo kinit -V -k -t /etc/<filename>.keytab HTTP/host.domain2.domain1.tld

Password:

Using existing cache: <cache_id>

Using principal: HTTP/host.domain2...@DOMAIN2.DOMAIN1.TLD

Using keytab: /etc/<filename>.keytab

Authenticated to Kerberos v5

I checked via klist that I have my TGT, and I do:

klist

Ticket cache: KCM:<cache_id>

Default principal: HTTP/host.domain2...@DOMAIN2.DOMAIN1.TLD

Valid starting       Expires              Service principal

09/24/2016 14:08:14  09/25/2016 00:08:14  krbtgt/DOMAIN2.D...@DOMAIN2.DOMAIN1.TLD

renew until 10/01/2016 14:08:14

I have debugging enabled, and in my debug file, I have the following again (and, again, sanitized):

Sep 24 14:16:47 simplesamlphp DEBUG [bd9c1231e7] Session: 'WAI-KRB' not valid because we are not authenticated.

Sep 24 14:16:47 simplesamlphp DEBUG [bd9c1231e7] Negotiate - authenticate(): looking for Negotate

Sep 24 14:16:47 simplesamlphp DEBUG [bd9c1231e7] Negotiate - authenticate(): Sending Negotiate.

Sep 24 14:16:47 simplesamlphp DEBUG [bd9c1231e7] Negotiate - fallback: WAI-LDAP

Sep 24 14:16:47 simplesamlphp DEBUG [bd9c1231e7] Saved state: '_fd1dbb821b5f00af3c6340afdc80d9b02378724c3f:https://host.domain2.domain1.tld/simplesamlphp/module.php/core/as_login.php?AuthId=WAI-KRB&ReturnTo=https%3A%2F%2Fhost.domain2.domain1.tld%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3DWAI-KRB'

Using Firefox on a domain-authenticated workstation, I checked the console and found the following (sanitized, of course):

GET 

https://host.domain2.domain1.tld/simplesamlphp/krbtest.php [HTTP/1.1 401 Unauthorized 364ms]

Response Headers

Connection Keep-Alive

Content-Length 126

Content-Type text/html

Date Sat, 24 Sep 2016 18:45:18 GMT

Keep-Alive timeout=5, max=100

MS-Author-Via DAV

Server Apache

WWW-Authenticate Negotiate

X-Powered-By PHP/5.5.36

Request Headers

Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding gzip, deflate, br

Accept-Language en-US,en;q=0.5

Connection keep-alive

Cookie PHPSESSID=d6bc098c4076b62445a0b71ff78aa935

Host host.domain2.domain1.tld

Upgrade-Insecure-Requests 1

User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0

GET 

https://host.domain2.domain1.tld/simplesamlphp/krbtest.php [HTTP/1.1 401 Unauthorized 128ms]

Response Headers

Connection Keep-Alive

Content-Length 126

Content-Type text/html

Date Sat, 24 Sep 2016 18:45:18 GMT

Keep-Alive timeout=5, max=99

MS-Author-Via DAV

Server Apache

WWW-Authenticate Negotiate

X-Powered-By PHP/5.5.36

Request Headers

Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding gzip, deflate, br

Accept-Language en-US,en;q=0.5

Authorization Negotiate YIIGhgYGKwYBBQUCoIIGejCCBnagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBkAEggY8YIIGOAYJKoZIhvcSAQICAQBuggYnMIIGI6ADAgEFoQMCAQ6iBwMFACAAAACjggSrYYIEpzCCBKOgAwIBBaEZGxdJTlQuV0VCRVJBVVRPTU9USVZFLkNPTaIzMDGgAwIBAqEqMCgbBEhUVFAbIGludHJhbmV0LmludC53ZWJlcmF1dG9tb3RpdmUuY29to4IESjCCBEagAwIBEqEDAgEBooIEOASCBDQV6LCY53smRNMDfdjbgMlT02+E12GAyCCyNKRXx2DEU4UYnoa1LtywFdb0fKGBCXXfSGG04IlJK/PDYohePsnt/QNWpSGFb0c2rRuyHJhWpxhhWtqb/ge8iGUyPugcSVdefZhn95BZbkJW9F8uFCTmuPMUL6FK02FOxzxvtdVC15Ip/3ax2IT9Xs8kFtLZML6Gb4FBNBFbMKpC4XmI90/7QY4XBwb8SPsc8upFJ1WnDtt1OKORYRsnuHkehel7yArzFUFhxg+tvY6eEVCDmfvOpJb6lyQ7+XBEYlbkjftv/o9AQk1A0annbOzXbWD7J+I7oGJvgpJaAT5c23ARZ6/HVU1bSmiWWYzznKrWjmD96K9Q0ZZZ1meE2Ivlu+K9M8UeY0YE+Pr/AxMQfSggCFEUvIOthI5SWwOaKQ1xI2Zm1wTkRsp3GXM1O2fw0wvSvXYb97rQt3l1cvzZmYDe90JDrNf8beCejFHZCFGYdSMLiFT3ZYOSdjP+XXMq3sCoSdvak16afB1xNjhMd6DRUO2VjEMO4SVl0Ko7dUNz+o8Fj2mRBryuZPUji6ADaSC89lXmU+VWgGez8FnYpErbLIJYiH36wKg/7sCXXHhERDNxqTdNK63cXZ/AfyoyCmcffopQBIolNOWuOJ6pmTm8JZrQHS7G5bXwnPN67/UUnMecdVuZjf24Rj78LR7TproiGm/oLkB3VoVB4SqytnbJK9UHS2IaoQEAbMQHfqxCeMStEfvUxILmMzgmHeHgW06he18JicIiJXYxqFyANi48y0zTFbC0SeBwxQEfs/XExmzEVCecWhRDz3yhOnYWb0xdBHwLmqLXuicmrE4/w8aJb1nIlNAXDEhOyL3cuEy05iIJVFdY8RB16tP/dQWcKt+8ad01EyPPs/hvVH0O7KbECY+xKG2AjDsfi/oC4UxsPV1TC/2hJC9g2c5VBifdfNQC1nGnZ84SiK96tqnAOv18fZSMiGyFcHthCkgJbFI3HwVtYRDj+WPu9IRiZuTukVbJ7HA554vabjxFpRfzTPpDsX8jVJQlI7ckCa2E0SIkGt19jV70tXZZqXMK4TLshRCEwzmAC4tx6qbaGXA8xof/7nxuSXrzygsQFW8jkib3evxljhw8CVzCJwPvUHpYtz07N5MqUeX6/EUXXK4CPaWFx2TTmhPO24Qn+EHBo5MSnUmFTL+3sdj2pr9vG3mA5FUnDbafloBMyLsc5Xt97ECpzDIg2+H89HLK0AQiBbXeVh5Fhedme4FhgbIAChIls8xVsTmbANxOP4KTwGKeuD3vm2SdOFmvyvNb5v6mYKnlITkiWsGsEz5kTGulpLcXzp59idat0u5rFUlGUPw95yDi2g/12jZRV+wc1UQNVyRHa6cAQQ+CBFUr2nC/SEI7JEgLzUoJ2llPIZw99NQeYhcVZ9Nz9xCRKKSCAV0wggFZoAMCARKiggFQBIIBTGyxqNQApOanQr5stsEah6zivXA9iKElbqZEPaOSycdUlkYtTi3HRilfyutwBxx86X4B43iHXNZO4inOmGUjIkQDLImvREQkBLNbTPRXXrmUQgYP+5eHBMkjTtfOeSjYo8N8GMkSdwIOt+7+1y/5e5Ruvfvu/8qpDR/Hpz2pMkyobmWVcAqdGrQp85FoEwGC2uJQp1Tpv0/6qiSmYrd6o8O6pyG6CqlfeYiuUJLGhIKAkYKoq4zeZqlNjzDkZMwkcJ91UI3vbH8bUoI28eYQ2lDA5IRcvhiwb2ncl61RxuhZYj/+Kcb9GTLh9YOHWKDLDtYaJnansId6DA7qEeo6eS0vbAmPTe3fkY7su8iAk7ls5pYBo6Xz5SlyO+AzmYW73ckcX+ajOOm1R/BIGAgLGycNjNS0UmeE2fLCcrF7nIHK7th3bwVYf4gO5PuT

Connection keep-alive

Cookie PHPSESSID=d6bc098c4076b62445a0b71ff78aa935

Host host.domain2.domain1.tld

Upgrade-Insecure-Requests 1

User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0

Using the script provided in the Negotiate module docs and setting the variables correctly, it looks like Negotiate is being tried, and the browser seems to be doing what it is supposed to do.  But, in looking at the code in the sample script, apparently HTTP_AUTHORIZATION variable is not being populated in the $_SERVER array (at least that’s what it seems).  I’ve looked at potential reasons for this, and I have tried rewrite engine workarounds as well as setenv methods, but I’m not having any luck.

Do you have any recommendations as to where I may check next or have any ideas why the negotiate module isn’t actually functioning?  I feel I’m so close to having this function and just am missing one tiny piece…

Mike

[sm...@univention.de]

Hi,

have you made any progress here?

We have the same problem here. If desired, I can deliver more test cases or support them in other ways.

Regards,

Michel

[Tim van Dijen]

Hi Michel,

Please describe you situation:

- What version of SSP are you using

- Is it just IE not working? What browsers have you tried?

- What browser-settings you have tried

- What does your apache-config and authsource-config look like?

- Tim

Op donderdag 25 april 2019 11:35:46 UTC+2 schreef sm...@univention.de:

[Michel Smidt]

Hi Tim,

thank you for your quick answer. First of all I would like to point out that we like to use simplesamlphp and it is really great!

We are currently using 1.14.11 on Debian Stretch.

Now that I see on the homepage that it's already 1.17.0 for download, our version seems pretty old to me.

But maybe nothing has changed in the relevant components?

The problem exists under Edge and Chrome. Firefox works correctly.

The browsers are unconfigured. I haven't tried any special browser settings. The Windows10 clients were each in a different domain or not joined at all.

The working Windows10 clients were joined in the correct domain and each had network.negotiate-auth.trusted-uris (Firefox) or the Local Intranet Site (Edge & Chrome) set.

I attached the anonymized apache-config and authsource-config.

Best,

Michel

[Tim van Dijen]

Ok, that config looks good!

Now, since Firefox is working just fine, we should probably concentrate on the browser-settings..

Both Edge & Chrome use the Windows Internet settings, so it makes sense that both fail.

There's at least one more setting you should check.. See attachment.

Also, it would be helpful if you could provide a log with 'logging.level' => SimpleSAML\Logger::DEBUG (config.php) so we can figure out at what point at fails.

Regarding the version you're using..  There are no relevant changes to the negotiate-module, however, you're pretty vulnerable to a bunch of nasty security issues that were fixed in later versions, so I can recommend you to upgrade ASAP.

Also, I have had some issues in the past with older (pre 1.1.0) versions of the php-krb5 module, so it may be desirable to update that one too:  https://pecl.php.net/package-info.php?package=krb5&version=1.1.2

Op donderdag 25 april 2019 13:27:34 UTC+2 schreef Michel Smidt:

[Tim van Dijen]

One more setting that I believe is mandatory (see attachment)

Op donderdag 25 april 2019 14:06:15 UTC+2 schreef Tim van Dijen:

[Michel Smidt]

Hi Tim,

your mentioned settings ("Automatic logon only in Intranet zone" & "Enable Integrated Windows Authentication”) are set on all Win10 clients (Joined in correct domain, joined in other domain, not joined).

Attached you will find two logs: the working call with Firefox (syslog.anonymized.correct) and the Basic Authentication pop-up with Chrome (syslog.anonymized.incorrect). Both from the not joined Win10 client.

Hope this helps.

Many thanks in advance

Michel

[Michel Smidt]

Hi Tim,

I'm afraid I don't really see anything in the logs. In the correct log it just seems to go on sometime. Until then the process is identical.

Do you have perhaps still another idea how I could log it browser-sided?

Cheers,

Michel

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---

You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<syslog.anonymized.correct>

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---

You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<syslog.anonymized.incorrect>

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---

You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<Naamloos.png>

—

Product Manager Education
Univention GmbH
be open.
Mary-Somerville-Str. 1
28359 Bremen
Tel. : 0421 22232-75
Mobil: 0173 9320 755

<sm...@univention.de>

https://twitter.com/michelsmidt

https://www.univention.de

Geschäftsführer: Peter H. Ganten

HRB 20755 Amtsgericht Bremen

Steuer-Nr.: 71-597-02876

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---

You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

—

Product Manager Education
Univention GmbH
be open.
Mary-Somerville-Str. 1
28359 Bremen
Tel. : 0421 22232-75
Mobil: 0173 9320 755

<sm...@univention.de>

https://twitter.com/michelsmidt

https://www.univention.de

Geschäftsführer: Peter H. Ganten

HRB 20755 Amtsgericht Bremen

Steuer-Nr.: 71-597-02876

[Tim van Dijen]

Yeah those logs make no sense at all... Something funny is going on here..

Perhaps logging the HTTP-headers on the browser-side can help you..

Op zaterdag 27 april 2019 13:59:02 UTC+2 schreef smidt:

Hi Tim,

I'm afraid I don't really see anything in the logs. In the correct log it just seems to go on sometime. Until then the process is identical.

Do you have perhaps still another idea how I could log it browser-sided?

Cheers,

Michel

On 25. Apr 2019, at 18:33, Michel Smidt <sm...@univention.de> wrote:

Hi Tim,

your mentioned settings ("Automatic logon only in Intranet zone" & "Enable Integrated Windows Authentication”) are set on all Win10 clients (Joined in correct domain, joined in other domain, not joined).

Attached you will find two logs: the working call with Firefox (syslog.anonymized.correct) and the Basic Authentication pop-up with Chrome (syslog.anonymized.incorrect). Both from the not joined Win10 client.

Hope this helps.

Many thanks in advance

Michel

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simple...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
<syslog.anonymized.correct>

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simple...@googlegroups.com.

To unsubscribe from this group and stop receiving emails from it, send an email to simple...@googlegroups.com.

To unsubscribe from this group and stop receiving emails from it, send an email to simple...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michel Smidt]

Hello, Tim,

I now have a look at the HTTP-headers on the browser side.

The reason seems to be the combination of the following two parameters:

Status Code: 401 Unauthorized

WWW-Authenticate: Negotiate

Of course, if I change WWW-Authenticate somehow in Negotiate.php no pop-up will appear but the Kerberos authentication won't work either.

According to some links in the web this is a faulty behaviour of the browsers Chrome, IE and Edge and you can only avoid this by not sending "WWW-Authenticate: Negotiate" to the client agents on the server side. But that would be a pity because some clients with Chrome, IE and Edge can do that.

Did I understand that correctly? 

Is that already known? Is there perhaps a workaround?

Cheers,

Michel

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

—

Product Manager Education
Univention GmbH
be open.
Mary-Somerville-Str. 1
28359 Bremen
Tel. : 0421 22232-75
Mobil: 0173 9320 755

<sm...@univention.de>

[SSC-ICT A-BII Federatieve Services]

Hi Michel,

 

I think what you describe is an old issue from the IE6-days..

How does IE respond to the HTTP/401? Is there a HTTP_AUTHORIZATION-header sent at all?

It would be helpful if you could make a trace using Chrome + SAMLtracer plugin..

 

Met vriendelijke groet,

 

Tim van Dijen
Identity & Access Management

---

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

Ministerie van Justitie en Veiligheid

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

Ministry of Justice and Security

[Michel Smidt]

Hi Tim,

you will find the two logs attached. I didn't find any HTTP_AUTHORIZATION headers but I'm not completely sure if I logged it correctly.

Best,
Michel

[Tim van Dijen]

Hi Michel,

You're right.. You're not sending it..  It's the call to /simplesamlphp/saml2/idp/SSOService.php that's wrong.

In my case I see a 'Authorization: Negotiate', followed by a long authorization-string.. The response is a HTTP/200 OK instead of HTTP/401 Unauthorized.

Your issue really must be in the browser-configuration..

- Tim

Op dinsdag 30 april 2019 10:58:37 UTC+2 schreef smidt:

[Michel Smidt]

Hi Tim,

Thank you so much for your help. I have looked still intensively together with my colleagues on it and we have come to the conclusion that it is a misbehaviour of the browsers. That's why I submitted a bug to the Chromium project: https://bugs.chromium.org/p/chromium/issues/detail?id=962473

Cheers,

Michel

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.