Forum Discussion
NimbostratusAPM - Kerberos Auth presents authentication pop-up on Krb Failure
We have implemented APM as our external SAML iDP and we have created a policy as follows:
401 Auth (Neg) -> Krb Auth (Success) -> continue with policy 401 Auth (Neg) -> Krb Auth (Fallback) -> 401 Auth (Basic) -> continue with policy
What we are finding is that when a user uses IE, that support Kerberos, and that user does not have a valid Kerberos ticket (eg they are from another domain or they are on a non-domain device) we get an authenticaton pop-up. This is not the 401 Auth (Basic) pop-up.
- What is it?
- Is there a way to get rid of this extra pop-up?
1 Reply
Posterus_85681Hi Kevin,
I understand what you have presented but that is not my issue. The issue occurs when you have a browser such as IE that presents a negotiate in the header (which it will do even if the PC in not logged onto a domain). So it will goto Kerberos auth but no valid ticket is presented and so auth fails (this may also occur if the PC is joined to another domain that Kerberos is not setup for, so cross domain).
On Kerberos auth failure instead of moving straight away to the fallback and we then force a basic auth, it presents a username/password authentication prompt. This prompt is what i am trying to remove, because no matter what credentials you enter into it, it fails auth then moves to fallback and the next 401 Basic Auth.
