My Custom 401 error page gets served by Apache for firefox by not IE.
I'm using Kerberos authentication and ldap group Authorization.
Basically if a user is not in the proper group I'd like the 401 error page to show. This is working properly with firefox but not IE.
Additionally it looks like IE browser is trying to fetch the resource twice, as opposed to firefox which fetches the resource once and displays the proper error message.
==> /var/log/httpd/ssl_access_log <==
xxx.xx.xxx.xx - - [20/Oct/2011:11:10:25 -0400] "GET / HTTP/1.1" 401 129
==> /var/log/httpd/ssl_request_log <==
[20/Oct/2011:11:10:25 -0400] xxx.xx.xxx.xx TLSv1 AES128-SHA "GET / HTTP/1.1" 129
==> /var/log/httpd/ssl_access_log <==
xxx.xx.xxx.xx - rballest [20/Oct/2011:11:10:25 -0400] "GET / HTTP/1.1" 401 129
==> /var/log/httpd/ssl_request_log <==
[20/Oct/2011:11:10:25 -0400] xxx.xx.xxx.xx TLSv1 AES128-SHA "GET / HTTP/1.1" 129
Here is the related lines in my httpd conf:
<Directory "/">
Order Allow,Deny
Allow from all
# http://httpd.apache.org/docs/current/mod/core.html#authtype
AuthType Kerberos
KrbServiceName HTTP
KrbAuthRealms REALM.DOMAIN.COM
Krb5Keytab /etc/httpd/mykeytab.keytab
KrbMethodNegotiate on
#KrbMethodK5Passwd on
KrbMethodK5Passwd off
KrbSaveCredentials on
# This removes the @REALM
KrbLocalUserMapping on
#Require valid-user
# LDAP AUTH
#AuthType Basic
AuthBasicProvider ldap
AuthName "Domain Credentials"
# this authorizes users with ldap
#AuthzLDAPAuthoritative on
# tls port 636
# text port 389
# userPrincipalName will require user to input userid like:
# [email protected]
# sAMAccountName will require user to input userid like:
# username
AuthLDAPUrl "ldaps://adserver.subdomain.domain.com/CN=Users,DC=subdomain,DC=domain,DC=com?sAMAccountName"
AuthLDAPBindDN "[email protected]"
AuthLDAPBindPassword "password"
AuthLDAPRemoteUserIsDN on
AuthLDAPGroupAttributeIsDN on
# require one of the following groups
Require ldap-group CN=group1,CN=Users,DC=subdomain,DC=domain,DC=com
</Directory>
ErrorDocument 401 "<html><h1>Awstats Portal</h1><h2>Sorry, you don't have permission</h2>contact [email protected] for access or information</html>"
EDIT:
A bigger 401 error message didn't help, same issue. I also turned off show "friendly http error messages" in my IE browser. If I use pure ldap only authentication the same 401 error message shows up fine in both browsers. When I use kerberos only firefox shows error message.