Currently the web UI login will fail if kerberos negotiation fails. To have it fall back to have the browser pop up a username/password dialog, do the following: - edit /etc/httpd/conf.d/ipa.conf - In the section <ProxyMatch ^.*/ipa/ui.*$> - Change KrbMethodK5Passwd from 'off' to 'on' - /sbin/service restart httpd Note that this change may not be preserved between IPA updates.
Is this still true with the revised web UI, with IPA 2.0, etc?
See ticket https://fedorahosted.org/freeipa/ticket/216 The way this is done is to set KrbMethodK5Passwd on in /etc/httpd/conf.d/ipa.conf and restart httpd. By default this is off. This is documented on the wiki.
Dmitri is right. You can skip the Proxy part in the previous instructions. Note that this needs to be done on a per-server basis so if you have a number of replicas this needs to be done to all of them.
*** This bug has been marked as a duplicate of bug 646239 ***