The solution was unexpected. See below.
On Tue, 23 Aug 2011, Paul Heinlein wrote:
> I migrated our internal wiki server last week, and some IE users
> aren't able to authenticate.
>
> The service is hosted by Apache using Digest authentication. It
> migrated from Apache 2.2.9 (Debian 5) to Apache 2.2.15 (CentOS 6).
> The internal hostname for the wiki server is a DNS CNAME that was
> repointed from one host to another during the cutover.
>
> In a normal session,
>
> 1. Client sends GET
> 2. Server sends 401 with WWW-Authenticate header
> 3. Client sends GET with Authorization header
> 4. Server sends 200 with Authentication-Info header and page content
>
> When using IE 9 (and possibly 8, I'm still trying to track that down),
>
> 1. Client sends GET
> 2. Server sends 401 with WWW-Authenticate header
> 3. Client resends GET (*without* Authorization header)
> 4. Server sends 401 with WWW-Authenticate header
> 5. Etc.
>
> IE seems to be ignoring 401 and/or the WWW-Authenticate headers.
> Using Chrome on Windows works fine; the issues are specific to IE.
>
> Any ideas? My google-fu has failed me.
This vexed me for many months. Most of my colleagues didn't mind
running Chrome or Firefox, both of which worked fine, but those who
had IE set as their default browser had to copy/paste links in e-mail
messages rather than just click on them.
I was revisiting the problem again today as a result of working on a
Windows 8 system for the first time. (Yeccchhh.)
I followed an unpromising link from a Google query:
http://serverfault.com/questions/389514/apache-without-any-error-page
One responder mentioned that IE sometimes "knows better than the
server" when it comes to error pages. Hmm. Since Apache was providing
a 401 Authorization Required response, I somewhat desperately
commented out the ErrorDocument 401 directive in httpd.conf.
And that did the trick, though not for the reasons mentioned by the
poster in the link above.
I'll note that our server was setup such that authentication was
required for the entire virtual host (including, of course, the
/error/ tree). The Apache HTML response seemed to indicate dueling 401
errors. Here's the curl output, reformatted for readability:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>401 Authorization Required</title>
</head>
<body>
<h1>Authorization Required</h1>
<p>
This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.
</p>
<p>
Additionally, a 401 Authorization Required
error was encountered while trying to use
an ErrorDocument to handle the request.
</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server ...</address>
</body>
</html>
And here's the corresponding WWW-Authenticate header, edited:
WWW-Authenticate:
Digest realm="OUR REALM", nonce="qh...21",
algorithm=MD5, domain="/", qop="auth",
Digest realm="OUR REALM", nonce="qh...21",
algorithm=MD5, domain="/", qop="auth"
Apache was sending the header with two copies of the key-value pairs,
indicated by the "Additionally, a 401 ..." paragraph in the error
reply. IE was the only browser that responded badly, so it was easy to
look askance at Microsoft, but the problem is certainly more subtle
than I originally imagined.
Once I commented out the ErrorDocument 401 directive, the second
paragraph no longer showed up in curl output and the WWW-Authenicate
header contained just one set of key-value pairs -- and IE worked
fine.
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W