1

I follow this guide to integrate my system with Windows AD. So when someone logon windows domain user, he can login to cas automaticly. If user don't use domain user, I want system return normal html login page.

Now I have a problem, when I use domain user, it works fine. But when I use non-domain user, chrome return ERR_UNEXPECTED error page to me. You can see the tcp dump, system already return 401 and login page html, but chrome show error.

Can anyone give me some sugguestions?

JVM: 1.8.0_111

cas-server-core: 3.3

cas-server-support-spnego: 3.3

Chrome: 55

TCP Dump stream by wireshark(non-domain user)

GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4

HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Content-Language: zh-CN

my login page html

GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4

HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADAAAAAFAoEAAAAAAAAAAAAAAAAAAAAAADoAOgBCAAAAaQBjAHQAcwBtAC4AYwBvAG0AAgASAGkAYwB0AHMAbQAuAGMAbwBtAAEAHABKAEMASQBGAFMAMQAzAF8AMQA3ADQAXwA2AEMAAAAAAA==
Content-Language: zh-CN

my login page html
zhufeizzz
  • 197
  • 2
  • 3
  • 16
  • Need more information about the client systems here: are your AD domain users coming in using workstations that are joined to the AD domain, and your non-domain joined users using workstations (like laptops) that are not joined to the domain? Is a VPN at play here, or is everyone on the same internal network? – T-Heron Jan 16 '17 at 14:34
  • Yes, domain-user joined the right AD domain, non-domain user has joined to another AD domain, and there is no VPN in my network. The problem seems like chrome behavior, when chrome found domain not match, it just return error. I tried to add WWW-Authenticate:Anonymous to http header, not works. – zhufeizzz Jan 17 '17 at 01:53

1 Answers1

1

Get rid of WWW-Authenticate: NTLM and only use WWW-Authenticate: Negotiate in the HTTP header. NTLM has been deprecated by Microsoft many years ago in favor of Kerberos. Really, nobody should be using NTLM anymore and doubtful that any of your clients are. This line in your network trace meant that the Chrome client was using NTLM:

Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • I have removed "WWW-Authenticate: NTLM" from server response header. Now when I use non-domain user, chrome show me a basic auth dialog box, I must click cancel botton so that will jump to login page. Do you know why? – zhufeizzz Feb 08 '17 at 08:14
  • This is typical behavior for non-domain web browser client to do when Kerberos SSO negotiation fails - a Basic Auth dialog box pops up. Your original question though, centered on chrome returning an ERR_UNEXPECTED error page, and we've technically resolved that. To deal with this new situation, I can edit my answer with a new suggestion, but really, this is starting to get into an extended discussion and is really not fair to the person answering. – T-Heron Feb 10 '17 at 14:02