The solution was unexpected. See below.
On Tue, 23 Aug 2011, Paul Heinlein wrote:
I migrated our internal wiki server last week, and some IE users aren't able to authenticate.
The service is hosted by Apache using Digest authentication. It migrated from Apache 2.2.9 (Debian 5) to Apache 2.2.15 (CentOS 6). The internal hostname for the wiki server is a DNS CNAME that was repointed from one host to another during the cutover.
In a normal session,
- Client sends GET
- Server sends 401 with WWW-Authenticate header
- Client sends GET with Authorization header
- Server sends 200 with Authentication-Info header and page content
When using IE 9 (and possibly 8, I'm still trying to track that down),
- Client sends GET
- Server sends 401 with WWW-Authenticate header
- Client resends GET (*without* Authorization header)
- Server sends 401 with WWW-Authenticate header
- Etc.
IE seems to be ignoring 401 and/or the WWW-Authenticate headers. Using Chrome on Windows works fine; the issues are specific to IE.
Any ideas? My google-fu has failed me.
This vexed me for many months. Most of my colleagues didn't mind running Chrome or Firefox, both of which worked fine, but those who had IE set as their default browser had to copy/paste links in e-mail messages rather than just click on them.
I was revisiting the problem again today as a result of working on a Windows 8 system for the first time. (Yeccchhh.)
I followed an unpromising link from a Google query:
http://serverfault.com/questions/389514/apache-without-any-error-page
One responder mentioned that IE sometimes "knows better than the server" when it comes to error pages. Hmm. Since Apache was providing a 401 Authorization Required response, I somewhat desperately commented out the ErrorDocument 401 directive in httpd.conf.
And that did the trick, though not for the reasons mentioned by the poster in the link above.
I'll note that our server was setup such that authentication was required for the entire virtual host (including, of course, the /error/ tree). The Apache HTML response seemed to indicate dueling 401 errors. Here's the curl output, reformatted for readability:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html> <head> <title>401 Authorization Required</title> </head> <body> <h1>Authorization Required</h1> <p> This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. </p> <p> Additionally, a 401 Authorization Required error was encountered while trying to use an ErrorDocument to handle the request. </p> <hr> <address>Apache/2.2.15 (CentOS) Server ...</address> </body> </html>
And here's the corresponding WWW-Authenticate header, edited:
WWW-Authenticate: Digest realm="OUR REALM", nonce="qh...21", algorithm=MD5, domain="/", qop="auth", Digest realm="OUR REALM", nonce="qh...21", algorithm=MD5, domain="/", qop="auth"
Apache was sending the header with two copies of the key-value pairs, indicated by the "Additionally, a 401 ..." paragraph in the error reply. IE was the only browser that responded badly, so it was easy to look askance at Microsoft, but the problem is certainly more subtle than I originally imagined.
Once I commented out the ErrorDocument 401 directive, the second paragraph no longer showed up in curl output and the WWW-Authenicate header contained just one set of key-value pairs -- and IE worked fine.