After upgrading from 2.1.4 to 2.2.2, our Foreman instance is no longer able to authenticate Kerberos SSO users. There is no failure message on the web interface when it displays the standard login page, but
production.log shows SSO failed after the attempt.
Users are able to automatically log in using an active Kerberos ticket.
Foreman and Proxy versions:
Distribution and version:
Other relevant data:
We’re using the standard Kerberos SSO config from Foreman :: Manual. This has been functional for many versions up until now.
In the past, errors with Kerberos SSO would show a small error message at the top left of the browser from the
ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>' tag in
/etc/httpd/conf.d/auth_kerb.conf. This no longer appears.
I tested after the upgrade before running
foreman-installer and got a failed attempt. I also ran
foreman-installer and reconfigured our TLS to no avail. Logging set to debug doesn’t provide much useful info. We’re willing to upgrade again to 2.3.1 if that’s the fix.