Login/Register
How to fallback from Negotiate method to Basic only when Negotiate fails
Asked Answered
httpauthenticationbrowserbasic-authenticationnegotiate
H

1

7

I have a webapplication which does the kerberos and basic authentication as well. I do not know what the client is capable of. So both auth mechanisms are sent in 401 reply.

The reply header will contain,

WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="MyREALM"

But, I want the client to fall back to basic auth only if negotiate fails.

I want the flow should be like,

  1. The client request
  2. Server responds with WWW-Authenticate: Negotiate
  3. The client re-request with (either with wrong auth data or with some flag indicating it can't proceed)
  4. The server response again with WWW-Authenticate: Basic realm="MYREALM"
  5. Client does basic auth.

How can I do this? I modified the server code to do this. But the browser which is not in any domain (its supposed to do basic auth) does not respond after step2.

Heffron answered 23/3, 2011 at 12:33 Comment(1)
Yeah, what is the browser and server that you are using? Browser has to know to attach SPNEGO ticket upon receiving 401 with WWW-Authenticate: Negotiate. If browser does not know how to attach said SPNEGO ticket, it will stop the handshake by displaying 401 page returned by the service. I have achieved fallback on login by redirecting all 401 responses through a controller and tracking in user session the fact that they have been sent 401 with WWW-Authenticate: Negotiate already. In such case I redirect to login page, otherwise I simply display box standard 401 page.Pergrim
E
0

What is your browser? The specific RFC chapter 4.6 mandates that the browser has to use the strongest auth offered. I cannot recall what the browser should do if it cannot obtain credentials for that.

Ernaernald answered 19/7, 2011 at 16:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.