Asks twice for login on Cockpit (but not NethGUI) - one browser dialog + one normal login page

NethServer Version: 7.7.latest
Module: GUI @9090

For some reason, possibly by some modules install/remove (“applications”…) I lost single sign on the new GUI. The browser pop-ups a browser based requester to enter credentials and if I enter them, it takes me to proper Cockpit login screen (asking for login in the bottom left of the window).

How can I fix this?

Seems I have the same issue with a fresh install.
I don’t know if it is related to activating Active Directory services on NS.
Can it be fixed?

I really don’t know where the browser auth comes from, never experienced this issue.

Do you use an authenticated proxy?

Do you use virtual hosts with HTTP auth?

1 Like

No proxy.
Actually my NS is still in a test virtual machine, so the host communicating with it, is not even part of the test domain, nor using NS as gateway. Could this be the problem?

If host and VM are in different networks you may have to add the host network to trusted networks:

http://docs.nethserver.org/en/v7/base_system.html#trusted-networks

They are on the same IP subnet.
(the VM uses my real gateway and DNS)
That IP subnet is already in the trusted networks (not by me, it was added during setup).

I don’t think this is related to the web page asking twice for login (once using browser’s own dialog box and once by NS own login page).

which browser do you use?

and what happens after you cleared your browser cache, and - if applicable - remove saved passwords?

Note: the subject " Single sign on" is misleading, it implies you need another password to login in to cockpit…

1 Like

Chrome.
But now that you asked, I tried also Edge (note that I never visited that address with Edge before).
Same thing.

BUT discovered something else (by mistake, like all great discoveries)…
Actually entering WHATEVER for user or pass, on first pop-up (browser’s own dialog box), it just proceeds (nothing fails), to NS own login page.

So the first credential request, actually has no verification done.

Even more weird…

1 Like

It is realty weird, just made fresh install and can’t reproduce this issue…

  • Windows: Chromium Edge Firefox
  • Debain: Firefox

Must be something in my setup.
It is not serious, but it is weird.

I have the issue of (useless) browser dialog on Windows 10, Chrome 77.0.3865.90

Cheers.

As I (re)verified the issue is on Chrome and Edge.
Not on Firefox.

(IE doesn’t even work)

IE and Trident are a quite old piece of software. I don’t suggest to use it on modern web applications…

It should be related to Kerberos, see https://github.com/cockpit-project/cockpit/issues/2164.

Since we already have the latest version available con CentOS, it’s probably an upstream regression or an unhandled client configuration.

@pike I don’t use IE. I just tested the issue on it.
@giacomo so it is something fixable? Browser side issue?

I don’t know, I encountered it only once on a very hold Ubuntu with Firefox.
You should ask upstream, they also have an IRC channel!

Same here, fresh installation with Local AD domain, Webtop and Nextcloud.
It happened on a NG 7.6 too.

Edit:
Same thing happens in Nextcloud when you are logged as System Admin:

Log in as “System Admin” -> Click on your Avatar at the Top-Right corner then click on “Settings” -> Click on “Overview” under “Administration” on the left column -> Browser popup appears asking credentials

I noticed something.
The first dud login pop-up happens when the login page tries to query the name of the server.
Maybe this calls some unneeded security (that get ignored anyway, as a simple enter works).
After I press enter the name of the server shows up and the normal login shows up.

With self-signed certificate, on Windows 7 + Chrome 77 (and older), every time I open the browse and visit cockpit page a popup asks for user/password. When closing the popup without giving credentials (cancel) the browser console shows:

:9090/cockpit/login:1 Failed to load resource: the server responded with a status of 401 (Authentication required)

(index):410 GET https://FQDN:9090/cockpit/login 401(Authentication required)
C @ (index):410 // code line has: e.send();
e @ (index):389
load (async)
(anonymous) @ (index):772
(anonymous) @ (index):773

Same procedure but giving credentials:

(index):410 GET https://FQDN:9090/cockpit/login 401 (Authentication failed)
C @ (index):410
e @ (index):389
load (async)
(anonymous) @ (index):772
(anonymous) @ (index):773

and with an older version of Chrome:

:9090/cockpit/login:1 Failed to load resource: the server responded with a status of 401 (Invalid conversation token)

Browser request headers show: Sec-Fetch-Mode: cors

On Windows 7 + Firefox 69, no popup but same 401 error on console.
GNU/Linux+chromium 77 (and Firefox): no popup but 401 error on console:

(index):1 [DOM] Password field is not contained in a form: (More info: https://goo.gl/9p2vKq) <input type=​"password" class=​"form-control" id=​"conversation-input">​
(index):1 [DOM] Password field is not contained in a form: (More info: https://goo.gl/9p2vKq) <input type=​"password" class=​"form-control" id=​"login-password-input">​
(index):257 GET https://IP:9090/cockpit/login 401 (Authentication required)
C @ (index):257 // code line has: e.send();
e @ (index):236 // cole line has: C();
load (async)
(anonymous) @ (index):619 // code line has: window.onload = e;
(anonymous) @ (index):620 // code line has: })(window.console);
(index):257 XHR failed loading: GET “https://IP:9090/cockpit/login”.
C @ (index):257
e @ (index):236
load (async)
(anonymous) @ (index):619
(anonymous) @ (index):620

I don’t know if 401 is expected before login:

Here are older but similar error descriptions (chrome related):


3 Likes

Verified once more that it happens only after I activate LDAP (actually Active Directory).