Custom 401 error page served by Apache for firefox by not IE Kerberos Authorization by group

apache-2.2http-error-401.2internet explorerkerberos

My Custom 401 error page gets served by Apache for firefox by not IE.

I'm using Kerberos authentication and ldap group Authorization.

Basically if a user is not in the proper group I'd like the 401 error page to show. This is working properly with firefox but not IE.

Additionally it looks like IE browser is trying to fetch the resource twice, as opposed to firefox which fetches the resource once and displays the proper error message.

==> /var/log/httpd/ssl_access_log <==
xxx.xx.xxx.xx - - [20/Oct/2011:11:10:25 -0400] "GET / HTTP/1.1" 401 129

==> /var/log/httpd/ssl_request_log <==
[20/Oct/2011:11:10:25 -0400] xxx.xx.xxx.xx TLSv1 AES128-SHA "GET / HTTP/1.1" 129

==> /var/log/httpd/ssl_access_log <==
xxx.xx.xxx.xx - rballest [20/Oct/2011:11:10:25 -0400] "GET / HTTP/1.1" 401 129

==> /var/log/httpd/ssl_request_log <==
[20/Oct/2011:11:10:25 -0400] xxx.xx.xxx.xx TLSv1 AES128-SHA "GET / HTTP/1.1" 129

Here is the related lines in my httpd conf:

 <Directory "/">
     Order Allow,Deny
     Allow from all

     # http://httpd.apache.org/docs/current/mod/core.html#authtype

     AuthType Kerberos

     KrbServiceName HTTP
     KrbAuthRealms REALM.DOMAIN.COM
     Krb5Keytab /etc/httpd/mykeytab.keytab
     KrbMethodNegotiate on
     #KrbMethodK5Passwd on
     KrbMethodK5Passwd off
     KrbSaveCredentials on

     # This removes the @REALM
     KrbLocalUserMapping on

     #Require valid-user

     # LDAP AUTH
     #AuthType Basic
     AuthBasicProvider ldap
     AuthName "Domain Credentials"


     # this authorizes users with ldap
     #AuthzLDAPAuthoritative on

     # tls  port 636
     # text port 389

     # userPrincipalName will require user to input userid like:
     # username@subdomain.domain.com

     # sAMAccountName will require user to input userid like:
     # username

     AuthLDAPUrl "ldaps://adserver.subdomain.domain.com/CN=Users,DC=subdomain,DC=domain,DC=com?sAMAccountName"

     AuthLDAPBindDN "bind-id@subdomain.domain.com"
     AuthLDAPBindPassword "password"
     AuthLDAPRemoteUserIsDN on
     AuthLDAPGroupAttributeIsDN on

     # require one of the following groups
     Require ldap-group CN=group1,CN=Users,DC=subdomain,DC=domain,DC=com

  </Directory>

  ErrorDocument 401 "<html><h1>Awstats Portal</h1><h2>Sorry, you don't have permission</h2>contact webmaster@domain.com for access or information</html>"

EDIT:

A bigger 401 error message didn't help, same issue. I also turned off show "friendly http error messages" in my IE browser. If I use pure ldap only authentication the same 401 error message shows up fine in both browsers. When I use kerberos only firefox shows error message.

Best Answer

Make your ErrorDocument string longer, pad it with whitespace.

Internet Explorer ignores custom error pages smaller than 256 or 512 bytes, depending on which code is returned.

Related Topic