Red Hat Identity Management Issues

Latest response

Hello,

I've been trying to configure the Red Hat Identity Management Server 2.2.0 for Red Hat 6.3 and I've been running into some weird issues with the web GUI.

We've been trying to access the web GUI from Firefox and IE (IE on the Windows side of course) and we are getting intermittent results on the IE side from multiple workstations/servers.

 

The workstations are running IE7 on Windows XP SP3 and the servers are running IE7 on Windows Server 2003 SP2.

At one moment we are able to log on to the web gui (https://server_name/ipa/ui , https://ip_address/ipa/ui , server_name) and then 30 minutes later we are unable to log in.

We've tried running IE8 on Windows Server 2008 also with the same results.

Under the /user/share/ipa/ipa.conf I changed the krbMethodK5Passwd option to off so it asks for a username and password but other then that I've changed nothing concerning the web gui.

 

Any thoughts on this?

Responses

Hello,

By default, the IPA Web UI uses Kerberos Negotiate to perform a single sign-on login. This is handled automatically in Firefox if it is properly configured and you have a TGT.

There are some cases where this is not possible, such as an unsupported browser or operating system (Windows for example).

By configuring username/password authentication for the UI allows users to log in even if there are problems with the Kerberos service.

Open the ipa.conf file used by the Apache web service.

# vim /etc/httpd/conf.d/ipa.conf

In the <Location "/ipa"> location definition, change the KrbMethodK5Passwd attribute from off to on.

KrbMethodK5Passwd on

Restart the httpd service:

# service httpd restart

The web server will first attempt to use Kerberos Negotiate to log the user in. If that fails then the user will be presented with a login prompt.

Also ensure that IPA CA cert in also installed in the browser.

Hope this helps.

Best Regards,

Nirupama

Hello Nirupama,

Thank you for your suggestion but I completely forgot to put the issue. Sorry about that.

The issue is more often then not when trying to access the IPA web GUI from another workstation/server using IE 7/8 it comes up with the "Internet Explorer cannot display the webpage" error. This is not a consistent error which is weird. I won't change anything and all of a sudden it will work then 30 minutes later it won't work.

The IE configuration is the same on all of our workstations and servers. They also all have the same version of JRE installed.

 

Hello,

You have mentioned that issue is randomly/inconsistently occurring. Does clearing cache or cookies from IE fixes it ?

Is IPA server reachable/pingable when issue occur ?

Could you please ensure this network issue while accessing the IPA GUI ?

Nirupama

I've tried clearing all internet temp files from IE still nothing.

The IPA is pingable from all workstations/servers when unable to access the web gui.

 

Do you know of a way to disable the secure http connection on IPA so it only uses http instead of https?

Hello,

It is not good idea to use IPA web interface via http instead on https. The SSL/TLS is is a requirement to avoid Man in middle attacks.

Also if you don't do any actions for 30 mins, you will loose the session it designed in that way.

Hope this helps.

Best Regards,

Nirupama

The network that I am working on is a closed LAN so I am not worried about that.

Yeah I know about the session closing out after a certain amount of inactive time.

I could be doing something for 15-20 minutes, logout out of IPA Web GUI then try to log back in 10 minutes later with IE stating that it can't "Display the webpage". Obviously it can display the webpage since it did moments earlier. I can then go to my Firefox session on the IPA server and still see that it is running so the services are still up and running fine.

Obviously something is wrong in one of my config files for IPA or something is wrong with the IPA software able to allow connections from IE.