IdStory Identity Manager

More info: the admin is logged into his computer with the same login as he uses for IdM.
I tried to simulate this in Firefox with modifying headers, no success yet.

I couldn't reproduce the issue entirely, but there is definitely something broken in the combination "Kerberos SSO by Negotiate in Apache" + "Internet Explorer 11 in AD domain". The problem (at least for me) isn't in the IdM backend, because the behavior is the same even if the SSO filter is disabled.

If Kerberos Negotiation is enabled in Apache ("KrbMethodNegotiate On" in virtualhosts.conf), then I get Network request failed message after session timeout. I'm not logged out automatically. But when I click on the logout button, then I get to login page. See "IE_session_timeout_with_icons.png". Sometimes I don't see the logout icon ("IE_session_timeout_without_icons.png"), but it can still be clicked. I don't know why the icons sometimes aren't displayed, I have fonts enabled in Internet Options for trusted sites (https://wiki.czechidm.com/_media/devel/documentation/fontdisable02.png).

The message "Network request failed" is displayed also during login, if I use wrong password - see IE_login_with_negotiate.png.

The response from the backend is 401 for both cases. But in Developer tools of IE the request is Aborted - without response code.

If Kerbers Negotiation is disabled in Apache (just by "KrbMethodNegotiate Off"), then the response after timeout is correct. I'm redirected to the login modal dialog with "Session timeout" - see IE_session_timeout_without_negotiate.png.

Also during login with wrong password I can see correct error message - see IE_login_without_negotiate.png. The response 401 gets correctly to the frontend.

I didn't test Negotiate for Firefox, because I don't have it in our testing domain server, so I can't test Negotiate method in Firefox.

The inability to logout (= if I logout, I'm logged in immediately) can be reproduced, if your user has the same password in AD domain and in IdM, and Apache Kerberos enables Basic Auth ("KrbMethodK5Passwd On") and disables Negotiate ("KrbMethodNegotiate Off"). Then he is continually logged in by our BasicIdmAuthenticationFilter. However, I don't see any error messages as Vláďa described.

TLDR¶

The problems is either in frontend, or in Apache Kerberos configuration, or in Internet Explorer options.

To narrow it down, please switch off our Basic Auth filter:

idm.sec.core.authentication-filter.eu-bcvsolutions-idm-core-security-auth-filter-basicidmauthenticationfilter.enabled=false

Also check, if you can click on the Logout button in the right upper corner when you get the error you describe.

I'm closing this obsolete ticket.