Legacy Kerberos in management, unable to configure fallback authentication. --------------------------------------------------------------------------- Key: WFCORE-2386 URL: https://issues.jboss.org/browse/WFCORE-2386 Project: WildFly Core Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Blocker Labels: regression Fix For: 3.0.0.Alpha24 In EAP 7.0 there was possible to configure fallback (e.g. BASIC) authentication, if client does not support SPNEGO authentication. In EAP 7.1 this feature does not work anymore. In EAP 7.0 server returns multiple chalanges (Negotiate/Basic) and client could choose which he will use. {code:title=EAP 7.0} HTTP/1.1 401 Unauthorized Connection: keep-alive WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="FallBackKerberosRealm" X-Frame-Options: SAMEORIGIN Content-Length: 77 Content-Type: text/html Date: Mon, 30 Jan 2017 11:02:45 GMT <html><head><title>Error</title></head><body>401 - Unauthorized</body></html> {code} In EAP 7.1 (with same configuration) server returns only one chalange - Negotiate so client not supporting SPNEGO, can't fallback to Basic. {code:title=EAP 7.1} HTTP/1.1 401 Unauthorized Connection: keep-alive WWW-Authenticate: Negotiate X-Frame-Options: SAMEORIGIN Content-Length: 77 Content-Type: text/html Date: Mon, 30 Jan 2017 11:01:28 GMT <html><head><title>Error</title></head><body>401 - Unauthorized</body></html> {code}