On our Kerberos setup, when our application URL is accessed using IE 11, the Kerberos ticket is not sent along with the request. However, when the compatibility mode (display intranet sites in compatibility view) is turned on, then the Kerberos ticket is sent and authentication works fine. We are using IE 11. When using developer tool, the user agent string is changed from Default to Internet Explorer 10, then also it works.
The authentication always works fine on chrome.
UPDATE: We observed the traffic on wireshark, found out that when compatibility mode is OFF, then server is not challenging the client for negotiation. However, when compatibility is ON, server challenges the client by sending 401 response.
Any pointers are highly appreciated.
Finally we have identified the exact root cause and the solution for this issue.
Root Cause:
We are using the cas 3.5.3 implementation for Kerberos. This library maintains a list of User Agents; to be precise substring of User-Agent string. This list is used to check whether the browser is compatible for Kerberos authentication or not.
There are changes in User Agent String of IE 11. Refer this Link
The user agent string sent by IE 11 (In non-compatibility mode) was not supported by the CAS 3.5.3 implementation which we are using.
The difference between the User Agent Strings from two requests (IE 11 compatibility mode ON and OFF) is as follows:
With compatibility ON
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/8.0; .NET4.0C; .NET4.0E)
With compatibility OFF
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
First user agent is processed by the library (it searches for the word ‘MSIE’ which is in the list of supported User Agents), while other is discarded as it doesn’t contain the word ‘MSIE’. The problem did not occur with IE 9/10 because their corresponding user agents contain the string ‘MSIE’.
Solution:
The list of user agents maintained by the cas3.5.3 is overridden and the entry corresponding to the user agent of IE11 is added to it. Now the request gets processed property and the Kerberos login Is working properly.
I hope this will be helpful for other developers working on cas library.