When Kerberos single sign on fails, IPA should fall back to a landing page with a username + password login form that also has directions on it to install the single sign on plugin if the platform supports it
This would enable better cross-browser compatibility and access from workstations where the kereberos browser plug-in cannot be installed.
Ticket 2109 was closed as duplicate.
The BZ is now linked to the following upstream ticket:
Be more forgiving about content-type format:
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Cause: When Kerberos single sign on to IPA Web UI fails, IPA Web UI does not have means to fall back to login+password authentication.
Consequence: Workstations outside of IPA Kerberos realm or with in-compatible browsers cannot access the IPA Web UI unless a fallback from Kerberos authentication to login+password authentication is configured on the IPA web server.
Change: IPA Web UI is now able to fall back to form based authentication when Kerberos authentication cannot be used.
Result: Users outside of IPA Kerberos realm or with in-compatible browsers can now login with their login and passwords.
verified using ipa-server-2.2.0-12.el6.x86_64
On a windows machine, used IE to access a ipa server. was able to login using form based auth, browsed through UI.
Also logged in as a non-admin user (whose password doesn't need to be reset) and got to page with user details.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.