[CentOS] IE 9 not sending digest auth info

Thu Jan 10 23:44:01 UTC 2013
Paul Heinlein <heinlein at madboa.com>

The solution was unexpected. See below.

On Tue, 23 Aug 2011, Paul Heinlein wrote:

> I migrated our internal wiki server last week, and some IE users 
> aren't able to authenticate.
> The service is hosted by Apache using Digest authentication. It 
> migrated from Apache 2.2.9 (Debian 5) to Apache 2.2.15 (CentOS 6). 
> The internal hostname for the wiki server is a DNS CNAME that was 
> repointed from one host to another during the cutover.
> In a normal session,
> 1. Client sends GET
> 2. Server sends 401 with WWW-Authenticate header
> 3. Client sends GET with Authorization header
> 4. Server sends 200 with Authentication-Info header and page content
> When using IE 9 (and possibly 8, I'm still trying to track that down),
> 1. Client sends GET
> 2. Server sends 401 with WWW-Authenticate header
> 3. Client resends GET (*without* Authorization header)
> 4. Server sends 401 with WWW-Authenticate header
> 5. Etc.
> IE seems to be ignoring 401 and/or the WWW-Authenticate headers. 
> Using Chrome on Windows works fine; the issues are specific to IE.
> Any ideas? My google-fu has failed me.

This vexed me for many months. Most of my colleagues didn't mind
running Chrome or Firefox, both of which worked fine, but those who
had IE set as their default browser had to copy/paste links in e-mail
messages rather than just click on them.

I was revisiting the problem again today as a result of working on a
Windows 8 system for the first time. (Yeccchhh.)

I followed an unpromising link from a Google query:


One responder mentioned that IE sometimes "knows better than the
server" when it comes to error pages. Hmm. Since Apache was providing
a 401 Authorization Required response, I somewhat desperately
commented out the ErrorDocument 401 directive in httpd.conf.

And that did the trick, though not for the reasons mentioned by the
poster in the link above.

I'll note that our server was setup such that authentication was
required for the entire virtual host (including, of course, the
/error/ tree). The Apache HTML response seemed to indicate dueling 401
errors. Here's the curl output, reformatted for readability:

        <title>401 Authorization Required</title>
        <h1>Authorization Required</h1>
          This server could not verify that you
          are authorized to access the document
          requested.  Either you supplied the wrong
          credentials (e.g., bad password), or your
          browser doesn't understand how to supply
          the credentials required.
          Additionally, a 401 Authorization Required
          error was encountered while trying to use
          an ErrorDocument to handle the request.
        <address>Apache/2.2.15 (CentOS) Server ...</address>

And here's the corresponding WWW-Authenticate header, edited:

    Digest realm="OUR REALM", nonce="qh...21",
    algorithm=MD5, domain="/", qop="auth",
    Digest realm="OUR REALM", nonce="qh...21",
    algorithm=MD5, domain="/", qop="auth"

Apache was sending the header with two copies of the key-value pairs, 
indicated by the "Additionally, a 401 ..." paragraph in the error 
reply. IE was the only browser that responded badly, so it was easy to 
look askance at Microsoft, but the problem is certainly more subtle 
than I originally imagined.

Once I commented out the ErrorDocument 401 directive, the second 
paragraph no longer showed up in curl output and the WWW-Authenicate 
header contained just one set of key-value pairs -- and IE worked 

Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W