Problem:
Login works fine in Chrome and Firefox (and probably every other browser). IE just shows a 401 after entering right credentials.
Scenario:
I got an Apache (Apache/2.2.20 (Win32) DAV/2 SVN/1.7.2 mod_auth_sspi/1.0.3 mod_ssl/2.2.20 OpenSSL/0.9.8r PHP/5.2.17) on Windows (Windows NT 6.1 build 7601) and configured mod_auth_sspi with just "require valid user".
The Server ist part of the Domain (in fact there are multiple domains with trust but that seems not to matter). I tried different configurations (with mod_auth_sspi 1.03, 1.04 and beta), for example the following quite simple one:
AuthName "Intranet"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
#Add line if sspi >= 1.0.4
#SSPIPerRequestAuth On
#END VERY IMPORTANT
require valid-user
If I try to login:
* Chrome works fine with NTLM (Header monitor showed correct 4-way-handshake). Firefox falls back to basic and works fine. The login works fine no matter how I authenticate on the other browsers: UserFromDomainA, DomainA\UserFromDomainA, DomainB\UserFromDomainB, UserFromDomainB work all fine.
* IE tries NTML (password dialog pops up on domain pc and public pc) and show 401. A header monitor gave me the clue that it stops after the first half of the handshake, instead of sending the last /GET to authenticate the browser just shows the 401 error.
So I really don't get the point in the IE9 behavior. We have some MS TFS (IIS with http auth) server available and a header monitor shows identical packets regarding the NTLM handshake. It's just that there the IE9 doesn't stop in the middle like with the sspi-Apache.
Anybody some clue where I could go on looking? All the google results are concerned with other browsers or IE POST problem and nobody seems to have problems with just IE.
Regards,
Peter
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The keep alive was really the problem, missed it out as it was defined not in my part of the config. So removing the SSL "classic line for backwards compatibiliy"
Hi there,
Problem:
Login works fine in Chrome and Firefox (and probably every other browser). IE just shows a 401 after entering right credentials.
Scenario:
I got an Apache (Apache/2.2.20 (Win32) DAV/2 SVN/1.7.2 mod_auth_sspi/1.0.3 mod_ssl/2.2.20 OpenSSL/0.9.8r PHP/5.2.17) on Windows (Windows NT 6.1 build 7601) and configured mod_auth_sspi with just "require valid user".
The Server ist part of the Domain (in fact there are multiple domains with trust but that seems not to matter). I tried different configurations (with mod_auth_sspi 1.03, 1.04 and beta), for example the following quite simple one:
If I try to login:
* Chrome works fine with NTLM (Header monitor showed correct 4-way-handshake). Firefox falls back to basic and works fine. The login works fine no matter how I authenticate on the other browsers: UserFromDomainA, DomainA\UserFromDomainA, DomainB\UserFromDomainB, UserFromDomainB work all fine.
* IE tries NTML (password dialog pops up on domain pc and public pc) and show 401. A header monitor gave me the clue that it stops after the first half of the handshake, instead of sending the last /GET to authenticate the browser just shows the 401 error.
So I really don't get the point in the IE9 behavior. We have some MS TFS (IIS with http auth) server available and a header monitor shows identical packets regarding the NTLM handshake. It's just that there the IE9 doesn't stop in the middle like with the sspi-Apache.
Anybody some clue where I could go on looking? All the google results are concerned with other browsers or IE POST problem and nobody seems to have problems with just IE.
Regards,
Peter
Is your IE9 browser in compatibility mode for the site or normal mode?
I assume you have keep alive enabled already.
Thanks a lot rbeede!
The keep alive was really the problem, missed it out as it was defined not in my part of the config. So removing the SSL "classic line for backwards compatibiliy"
BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0fixed the problem at once.
Stupid me.