This content has been marked as final. Show 2 replies
A partial workaround is to add a meta refresh tag on the resulting 401 paqe. Browsers that are not confgiured to send a Kerberos token will automatically refresh then.
See the following support note:
After Configuration Of Windows Based SSO, Non SSO Configured Browsers Give Error Page [ID 1468495.1]
The only issue remaining is for users that have a browser configured for Kerberos (such as IE or Chrome), but are not on the configured domain. These will get a popup prompting for credentials upon the 401 request, but these credentials are sent as an NLTM token and not processed by WebLogic. The only way around this is cancelling this prompt and then you are taken to the login screen.
Any ideas how to avoid the credentials popup for users outside of the configured domain?
Assuming that you have configured AD and have created a Negotiate Provider in weblogic console.
Try giving just BASIC in web.xml in your war file.
Deploy the war file with different name like obi.ear instead of analytics.ear. In order to deploy with different name you might require to change the names in the ear file from analytics to obi.
This way first Request should receive both WWW-Authenticate: Negotiate and WWW-Authenticate: Basic. And the client will choose the auth mech.
Let us know your results!