Welcome To Support Community

Pipeline Pilot and BIOVIA Foundation

Advanced Search
Ask Search:
peter.schmidtkepeter.schmidtke 

kerberos authentication issues

I am currently setting up a PP 2017R2 server with LDAP connected authentication by using Kerberos on a RHEL 7 machine. Kerberos has been configured on the system and is working just fine (I can login with my AD accounts on the linux box).
In the Authentication/Security Settings of the Pipeline Pilot server I clicked Allow SPNEGO (Kerberos) and didn’t change any other settings.
 
I can now login to the Server with my pipeline Pilot Client with my AD credentials.
 
However, when I want to access the admin page for example (or whatever other web resource) I get a popup window asking me to authentify (screenshot attached)

I tried every possible login/pw local and AD account and nothing works. I can only click cancel and the popup disappears and then I can use the classical web login (shown below the popup) where authentication works.
I noticed that this popup only shows up when I activate the Kerberos Authentication in the PP admin page.
How can I get rid of this authentication Popup ?
 
Thanks in advance

Peter
Best Answer chosen by peter.schmidtke
Stephen PickettStephen Pickett
Hi Peter
We had the same issue when this setting was on with previous versions of PP. We use PAM to access our LDAP rather than touching the default machine authentication. In this case you can turn off Kerberos and the pop up disappears.
Stephen

All Answers

Stephen PickettStephen Pickett
Hi Peter
We had the same issue when this setting was on with previous versions of PP. We use PAM to access our LDAP rather than touching the default machine authentication. In this case you can turn off Kerberos and the pop up disappears.
Stephen
This was selected as the best answer
LynnLynn (Accelrys) 
When you use SPNEGO the system first tries to authenticate with a Kerberos ticket and if it fails (or if you are connecting localhost) it falls back to NTLM. The Windows Security dialog on your web client typically gets displayed if it is falling back to NTLM either because there was a problem with the Kerberos ticket itself or there was a security setting in IE that prevented it from being automatically used.  You can typically overcome this by following the Client Configuration suggestions found in the admin on-line help topic Authentication Overview > Kerberos via SPNEGO. I am pasting some key details from this section below.

Client Configuration

To use Internet Explorer:

 1.Add the server as a trusted site (Tools > Internet Options > Security > Trusted Sites > Custom Level > User Authentication > Logon).
 2.Select Automatic logon with current user name and password.
 3.If your server is already part of the Local Intranet, select Automatic logon only in Intranet zone.

To configure Chrome:

  • Internet Explorer configuration will also allow Chrome to work with SPNEGO authentication, since it uses the Windows settings.

To configure Firefox:

 1.Browse to "about:config".
 2.Note the filter at the top of the page to help you find specific settings.
 3.Add the server names to the following preferences:

network.negotiate-auth.trusted-uris

network.automatic-ntlm-auth.trusted-uris

peter.schmidtkepeter.schmidtke
Hi Stephen & Lynn,

I indeed used Stephens suggestion with success. Thanks again for the advice.


Peter