Martin Choma created WFLY-7993: ---------------------------------- Summary: Legacy Kerberos in management, unable to configure fallback authentication. Key: WFLY-7993 URL: https://issues.jboss.org/browse/WFLY-7993 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Blocker In EAP 7.0 there was possible to configure fallback (e.g. BASIC) authentication, if client does not support SPNEGO authentication. In EAP 7.1 this feature does not work anymore. In EAP 7.0 server returns multiple chalanges (Negotiate/Basic) and client could choose which he will use. {code:title=EAP 7.0} HTTP/1.1 401 Unauthorized Connection: keep-alive WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="FallBackKerberosRealm" X-Frame-Options: SAMEORIGIN Content-Length: 77 Content-Type: text/html Date: Mon, 30 Jan 2017 11:02:45 GMT <html><head><title>Error</title></head><body>401 - Unauthorized</body></html> {code} In EAP 7.1 (with same configuration) server returns only one chalange - Negotiate so client not supporting SPNEGO, can't fallback to Basic. {code:title=EAP 7.1} HTTP/1.1 401 Unauthorized Connection: keep-alive WWW-Authenticate: Negotiate X-Frame-Options: SAMEORIGIN Content-Length: 77 Content-Type: text/html Date: Mon, 30 Jan 2017 11:01:28 GMT <html><head><title>Error</title></head><body>401 - Unauthorized</body></html> {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)