apache

IE11 on Win7: no password sent during Basic Authentication

Posted on by cly

Today I set up a download directory for one of our customers. I turned on basic authentication, gave a nice /=%27gujdw765 password and tried out from Firefox.
Everything worked. Then I tried via IE11. IE started to prompt me for credentials again and again.

I checked error log on webserver and found password mismatch messages. Tried again with same results.
Tried on my second machine with same results again.

I sent over the info to my deskmate. He tried the same in IE and it worked for him!
What the hell is happening to my machines?

I modified apache config to log Authorization header value: 

CustomLog ${APACHE_LOG_DIR}/access.log  "\"%{Authorization}i\""

Now from access log it becomes clear, that my IE does not send my password over the wire!
E.g. in case of typed user name “myuser” and password “blahblah”:

"Basic bXl1c2VyOgo="

I started some experiments and found that sometimes the password was sent sometimes not.
But why?

You will never guess.

Because I was copy&pasing that nice password via clipboard AND used Shift+Insert key combination for pasting!
When I was doing my experiments I was typing directly “12345” into password field and it was sent gracefully.
My deskmate was using Ctrl+V which was working too.
But no one was able to send the password pasted via Shift+Insert!

After these it was easy to find the official info: https://support.microsoft.com/en-us/kb/2547752
It is known problem since 2011 and there is a fix for it.
But why wasnt it distributed via Windows Update since then?

Drupal SSO: An unsupported mechanism was requested…

Posted on by cly

Here is a step that may help You to debug the error above.

Today I was setting up SSO on a Drupal page against MS AD. Something went wrong and I found the following message in site’s error_log:

gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

Let’s modify a little bit apache’s config, and add this to appropriate place (global or vhost level):

 LogLevel debug

Restart apache and check the log again:

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/intranet.kesz.hu@KESZ.HU
Verifying client data using KRB5 GSS-API
Client didn't delegate us their credential
Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
GSS-API major_status:00010000, minor_status:00000000
gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

So the real problem was: Warning: received token seems to be NTLM, which isn’t supported by the Kerberos module. That is much more informative than the unknown error we had before!

Dont forget to set back LogLevel after You finished because the log file fast becomes really large…