README misleading about how Negotiate works

[slominskir]

Discussed in #293

^{Originally posted by slominskir January 9, 2024}
The README says:

mod_auth_gssapi/README

Lines 77 to 87 in 796000a

	### gssapi-no-negotiate
	This environment variable is used to suppress setting Negotiate headers. Not
	sending these headers is useful to work around browsers that do not handle
	them properly (and incorrectly show authentication popups to users).
	#### Example
	For instance, to suppress negotiation on Windows browsers, one could set:
	BrowserMatch Windows gssapi-no-negotiate

The example effectively disables mod_auth_gssapi for Windows clients, which turns out to often be a reasonable thing to do, but isn't explained and instead suggests that the Windows browsers don't work properly, when in fact, they're dutifully working as originally designed (by Microsoft).

The www-authenticate: Negotiate behavior is hinted at here, but also not explained particularly well:

mod_auth_gssapi/README

Lines 405 to 427 in 796000a

	### GssapiNegotiateOnce
	When this option is enabled the Negotiate header will not be resent if
	Negotiation has already been attempted but failed.
	Normally when a client fails to use Negotiate authentication, a HTTP 401
	response is returned with a WWW-Authenticate: Negotiate header, implying that
	the client can retry to use Negotiate with different credentials or a
	different mechanism.
	Consider enabling GssapiNegotiateOnce when only one single sign on mechanism
	is allowed, or when GssapiBasicAuth is enabled.
	**NOTE:** if the initial Negotiate attempt fails, some browsers will fallback
	to other Negotiate mechanisms, prompting the user for login credentials and
	reattempting negotiation. This situation can mislead users - for example if
	krb5 authentication failed and no other mechanisms are allowed, a user could
	be prompted for login information even though any login information provided
	cannot succeed. When this occurs, some browsers will not fall back to a Basic
	Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation.
	- **Enable with:** GssapiNegotiateOnce On
	- **Default:** GssapiNegotiateOnce Off

The missing information is troubling because a substantial number of browsers (Windows browsers such as Edge and Chrome) are affected by this behavior and it is a detail that should be front and center before someone invests time into setting up mod_auth_gssapi.

My understanding is this module supports Microsoft's IANA registered Negotiate auth scheme, which turns out to be very problematic. It is defined in RFC4559, and relies on RFC2478. The Negotiate scheme is designed to first try Kerberos and then fall back onto NTLM unless the client browser has disabled NTLM. Turns out Firefox defaults to disabling NTML on all OSes whereas on Windows OS Chrome and Edge default to the OS settings (which generally default to NTLM enabled).

Ideally default behavior on all browsers on all platforms would be to ignore NTLM. That hasn't happened yet, but Microsoft is starting to phase NTLM out in Windows 11 with IAKerb.

See Also:

• Docs are misleading about mixed domain Kerberos SPNEGO keycloak/keycloak#16981
• https://bugs.chromium.org/p/chromium/issues/detail?id=458369