We have single-sign-on working on an internal website, with Apache and mod_auth_kerb
... except users without the relevant browser config are getting password prompts instead of an error page.
Users who have tweaked their web browser config to allow the site get straight in. The problem is for users who haven't yet performed that browser configuration: we want them to see an error page, but instead Edge, Chrome, and IE all prompt for a username and password.
We have KrbMethodK5Passwd off
. This has the desired effect on Firefox users, who see the error page.
How can we prevent the other browsers from prompting for a password when SSO fails? We don't want passwords going over the network, and we don't want to train users into thinking it's acceptable to supply their Windows username and password to websites.
Heres's Chrome's unwanted prompt:
And here's Edge's (IE's is pretty much the same):
If the user presses Esc
7 times then the prompt eventually goes away and the user gets to read the error page. But there's no reason a user would think to do that (if it didn't work the first 6 times, why try a 7th?), whereas they may try submitting their password.
The server's running Ubuntu, and has this Apache config enforcing the authentication:
<Location />
AuthName "Internal Website Domain Authentication"
AuthType Kerberos
Krb5Keytab /etc/apache2/HTTP.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
Require valid-user
ErrorDocument 401 /error/authentication.html
</Location>
Thanks.