Microsoft Edge (Chromium based) not prompting for logons

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft Edge (Chromium based) not prompting for logons

Dave Ford-2
We've set up out Tomcat Manager to use LDAP for authentication - (note,
this is not MS AD, but linux-based LDAP server). The OS our tomcat
servers are running on is Linux and they're not intergrated with our AD
domain in any way at all.

Our users have been happily logging into the Tomcat manager app using
various web browsers for some time - they get prompted for a username
and password, they provide their credentials (which is the same user
name and password as they're currently logged onto windows with, but
with no domain\ or @domain info in the username), they're checked
against LDAP servers, and are let into the app assuming they're
allowed.

However, we've recently received reports that some of our users who
have had their Windows machines copies of Edge upgraded to the latest
version are no longer being prompted for credentials.  Instead, they're
directly immediately to a 401 unauthorised message. Other browsers,
including Chrome, still prompt.

We've changed nothing at the tomcat end, so this is clearly a problem
with the behaviour of Edge - but I'm keep to try and understand it.

I can't find any useful information in the tomcat logs - is it possible
to turn up the logging for the manager app to see exactly what
credentials (well, username) is being passed by Edge to it?

Thanks
Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Edge (Chromium based) not prompting for logons

Mark Thomas-2
On 11/09/2020 21:29, Dave Ford wrote:

<snip/>

> I can't find any useful information in the tomcat logs - is it possible
> to turn up the logging for the manager app to see exactly what
> credentials (well, username) is being passed by Edge to it?

If the user isn't authenticated, the request doesn't get as far as the
app. Authentication happens in the Realm (assuming you are using Tomcat
provided authentication.)

Looking at the Realm level logging, you'd need to enable TRACE logging
and even then, there isn't anything to tie the log messages to a
specific request.

Given the description, it sounds like you are using BASIC
authentication. Logging the Authorization header in the access log is
probably the simplest option in that case.

If possible, I'd visit one of the affected users and take a look at the
HTTP headers in the request and response.

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Edge (Chromium based) not prompting for logons

Christopher Schultz-2
In reply to this post by Dave Ford-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dave,

On 9/11/20 16:29, Dave Ford wrote:

> We've set up out Tomcat Manager to use LDAP for authentication -
> (note, this is not MS AD, but linux-based LDAP server). The OS our
> tomcat servers are running on is Linux and they're not intergrated
> with our AD domain in any way at all.
>
> Our users have been happily logging into the Tomcat manager app
> using various web browsers for some time - they get prompted for a
> username and password, they provide their credentials (which is the
> same user name and password as they're currently logged onto
> windows with, but with no domain\ or @domain info in the username),
> they're checked against LDAP servers, and are let into the app
> assuming they're allowed.
>
> However, we've recently received reports that some of our users
> who have had their Windows machines copies of Edge upgraded to the
> latest version are no longer being prompted for credentials.
> Instead, they're directly immediately to a 401 unauthorised
> message. Other browsers, including Chrome, still prompt.
>
> We've changed nothing at the tomcat end, so this is clearly a
> problem with the behaviour of Edge - but I'm keep to try and
> understand it.

Are you using HTTP or HTTPS?

> I can't find any useful information in the tomcat logs - is it
> possible to turn up the logging for the manager app to see exactly
> what credentials (well, username) is being passed by Edge to it?

This may be a bug in Edge or something having to do with
authentication policies. Microsoft has been actively trying to kill
HTTP Basic authentication for a while.

https://answers.microsoft.com/en-us/microsoftedge/forum/all/latest-versi
on-of-edge-no-longer-shows-basic/3601252b-e56b-46c0-a088-0f6084eabe47

TLDR: visit edge://policy in Edge and look for AuthSchemes. If the
value doesn't include "basic", add it and re-try.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9fbDkACgkQHPApP6U8
pFh4pQ/9HtWwtRtewO0l6pvR2voItW6CUwHBm/pag4O2KuyjGzkjEgV+WIOaOGGO
GHy/e9TaxQL97elFXbenbcT+/5dTmYWJtodBuBACD927AqdNKRygDiAig2xfmkBT
DryhT6BHuHV3XkQmdIPDCHc/Vqw5UJ+6Wzz5iehCroQ+FPi2XrOHGCyEjUtokoiB
dt7acgo6ElDf7k/YSXIdfJD+EEs/JNSx5ufEW/Jid4LPCTkUCxVrK3Nu6kdt5JRv
24udU+Any2Cw/O0iDSjhcGBM2nDl8nP2rtdiwfyqxbsJMxIi/yhLfECsWzXzkjBY
jVBYFiYprN7wc8227DDlu/GR5K2CjqSSr/Dl185mQkrHNAXCCM9PEFAk1bJE0H2b
uEewE0ZOLAYvSViC655uKDXDxh8i6UIG9n685YAMqeIByNPbrNF/2JLvzTN7gjxE
qChWIrOqZnDC2ZSb5sTt5oFSZ3zgzXMe5+alZKOAgffBoyWHM43OExdTa33YQ3xS
GslTxjxbD+aI73mNINTjpPxe4l41s4mnOiylG/4uIk88Eh+bS8SnHF0YYi5oAxO+
oEegLBKK/eGBaZ4F7JoUFu29EPW4A5g+NEekLSoELUVYph5Hpbb9v9OdSL1ou/K0
z69wt7gORqGo3NpAWUJhPC8VQOWtM+BZLUb+Q3cy/Jqn5EJF8AU=
=9X49
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Microsoft Edge (Chromium based) not prompting for logons

Dave Ford-2
On Mon, 2020-09-14 at 09:12 -0400, Christopher Schultz wrote:
> Are you using HTTP or HTTPS?

HTTPS.


> TLDR: visit edge://policy in Edge and look for AuthSchemes. If the
> value doesn't include "basic", add it and re-try.

Yeah, that was it - I wasn't able to change our edge settings - that's
locked down by others.  Finding out where to change the authentication
methods at the tomcat end was a bit harder than I hoped - I'd assumed
it was in the tomcat server area, rather than th eapplication itself,
which explains why I wasn't able to find much in the documentation - I
was looking at the wrong place.

Thanks very much - got a route forward throug this now
Thanks
Dave


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]