http-headerskerberoshttp-authentication

Continue when HTTP authentication fails

I have created an app (backend and frontend) that is mainly used on a Windows intranet. I'm using Kerberos authentication to do SSO so that anyone logged in to Windows domain is automatically authenticated to the server. To do this I set up Kerberos SPN for server and configured browsers etc and is all working fine in the normal scenario. My problem is that I need to continue if the user is not authenticated (ie connects from outside the Windows domain or does not have their browser configured correctly).

In summary there are two scenarios:

  1. if authenticated OK continue with authorization granted for their ID [currently works]
  2. if not authenticated continue with no (public) authorization [does not work]

In the first case the HTTP requests/responses are: a. frontend: initial HTTP request b. backend: no auth found so return 401 unauthorized with WWW-Authenticate:Negotiate header c. frontend: re-sends request with Authorization header -> decoded to get the login ID

In the 2nd case: a. frontend: initial HTTP request b. backend: no auth found so return 401 with WWW-Authenticate:Negotiate (and error text in the body) c. frontend: browser stops (displaying the body of the response as text to the user)

This is the crux of the problem I need to somehow avoid the browser just completely bombing (as at step c above).

Solutions I have tried:

  1. display a message to the user about how to adjust browser settings to allow SSO to work in the body of the 401 response message. This is pretty ugly looking and does not work for connections from outisde the domain

  2. Tried a 301 redirect in stead of 401 unauthorized response, but the browser does not like this.

  3. Tried a redirect using javascript in the 401 response body, but it is not executed.

  4. Have the backend send 401 but with WWW-Authenticate:Negotiate,Basic. But this display an unneeded login/password dialog and still fails if they don't login.

What I really need is an None option, ie: WWW-Authenticate:Negotiate,None then continue with no auth if the subsequent frontend request indicate "None" was used. Of course, there isn't a "None" option. :(

It seems that this should be a fairly typical scenario but I have been researching this to no avail for 3 days now. Any advice would be greatly appreciated.

Solution

  • If the browser is connecting from outside the intranet then just continue. That is do not send the 401 response at all (no auth). You should be able to tell from the IP address where they connect from.

    Another option is to redirect using JS in a page in the 401 body. As mentioned above I think you need to include Content-type: text/html or Content-type: text/javascript.