Centrify for Apache - silent authentication, works in Chrome but not IE8, get a login box

Question

We are trying to setup single sign on / silent authentication via Apache 2.2.21 RHEL5.

Using Chrome, it works fine - accesses web pages, no login box, but AD user credentials are available.

Using IE8 (company standard....), we get the login box - ie its using Basic Auth - which after login, shows the expected credentials.

The site is an intranet site and shows as such in the IE zone.

The apache config is as follows:

<VirtualHost ...:443>
...

SSLEngine on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

SSLCertificateFile    ...
SSLCertificateKeyFile ...
SSLCACertificateFile  ...

<Location />
  AuthName "MarketView Web Access"
  AuthType CENTRIFYDC
  UseCache true
  EnableKerberosAuth true
  EnableNtlmAuth true
  EnableBasicAuth true
  SetAuthUserInfo httpheader
  Require valid-user
</Location>
</VirtualHost>

We have this centrify module installed:

/usr/share/centrifydc/apache/lib64/mod_auth_centrifydc_22.so

Could it be an AD Policy for IE thats disabling it? Or is IE8 just not up to the job... Or using an old version...

Answer 1

For me, the issue was this bit of config:

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

It disabled keep alive and downgrade for IE. Thus, it worked for Chrome, but not IE.

There were errors in the apache error log - I should have seen them, doh!

Answer 2

Internet Explorer must have integrated Windows authentication enable to be able to do silent auth and here are the steps:

Enable Integrated Windows Authentication

Use the following procedure to enable silent authentication on each computer.
1. Open Internet Explorer and select Tools > Internet Options
2. Click the Advanced tab.
3. Scroll down to the Security settings.
4. Check the Enable Integrated Windows Authentication box.
5. Restart IE

I know you mentioned that the site is an intranet site, just thought I put the steps in adding Web Server to local intranet security zone here for you to verify. To configure the local in tranet security zone in Internet Explorer:

1. Open Internet Explorer and select Tools > Internet Options
2. Click the Security tab.
3. Click the Local intranet icon.
4. Click Sites.
5. Click Advanced.
6. Type the URL for the Web site you want to make part of the local intranet, then click Add. You can use wildcards in the site address, for example, ://.mycompany.com When you are finished adding URLs or URL patterns, click Close.
7. Click OK to accept the local intranet configuration settings, then click OK to close the Internet Options dialog box.

Please let me know if you need more information. Shin