Basic auth always asks credentials twice on Chrome, Edge fallbacks even if auth_gss_allow_basic_fallback=true

[elonen]

In my setup, most people use Kerberos tickets (works) but some need to type in username and password.
It works also, but they always need to type in username and password twice, leading to frustration and users believing they mistyped.

Is there a way to avoid this behavior?

Here's my config, pretty usual:

auth_gss on;
auth_gss_keytab /etc/krb5.keytab;
auth_gss_realm EXAMPLE.COM;
auth_gss_force_realm on;
auth_gss_service_name HTTP/service.example.com;

Playing around with auth_gss_realm and auth_gss_force_realm doesn't seem to make any difference with this.

This seems to be very browser dependent:

• Happens on Chrome as described above: two prompts, first doesn't matter. Chrome also gives one spurious popup, even if auth_gss_allow_basic_fallback is set to off, but always results in 403.
• Doesn't happen on Firefox, works fine.
• On Edge, I also get a popup if auth_gss_allow_basic_fallback is off, but on it, the popup actually works.

Double prompt is also mentioned in #4

[elonen]

I suspect this has something to do with the fact that basic auth fallback users also have to re-login quite often (might happen only on idle connections, not sure), even though the "Authorization: Basic ..." headers shouldn't actually have any kind of expiration, IIRC.

[elonen]

This looks very similar: gssapi/mod_auth_gssapi#257
They concluded it's Chrome issue that the server side can't work around.

[lavih]

@elonen , thank you for this case - it was very helpful, I thought at first it was a config issue or a miss type.
Do you know if there are any news regarding this?

[elonen]

@lavih No, I haven't found a good fix or workaround unfortunately. My current plan is to somehow try and detect Kerberos-eligible users before attempting auth_gss (perhaps by IP address) and offering others password login some other way.