Product SiteDocumentation Site

4.3. Using the FreeIPA Web UI

In order to use the web UI, the user must be authenticated with the FreeIPA Kerberos domain and have an active Kerberos ticket (Section 4.2, “Logging into FreeIPA”). Generally, the web UI can only be accessed from a FreeIPA server or client machine and the user must be locally authenticated. There are a couple of ways to work around this, either by configuring Kerberos on a non-domain machine to connect to the Kerberos domain (Section 4.3.4, “Using a Browser on Another System”) or by password authentication to the UI.

4.3.1. Supported Web Browsers

These browsers are supported for connecting to the web UI:
  • Firefox 10.x
  • Firefox 3.6

4.3.2. Opening the FreeIPA Web UI

The browser must be properly configured, as described in Section 4.3.3, “Configuring the Browser”, to support Kerberos authentication so that the user can connect to the UI.
To open the web UI:
  1. Get a valid Kerberos ticket using kinit, as in Section 4.2, “Logging into FreeIPA”.
  2. Open the FreeIPA URL. The full URL is https://IPAserver-FQDN/ipa/ui, but this service is also accessed simply by opening https://IPAserver-FQDN. For example:

4.3.3. Configuring the Browser

Firefox can use Kerberos credentials to authenticate to the FreeIPA UI, but Kerberos negotiation needs to be configured to use the FreeIPA domain. At the first log-in attempt, if Firefox has not been configured to support Kerberos authentication, then an error message appears.
Kerberos Authentication Error
Figure 4.10. Kerberos Authentication Error

If you see that error, then the FreeIPA web UI can perform the required configuration:
  1. Click the follow these directions link.
  2. Click the link to import the CA certificate for the FreeIPA server.
  3. Set the web site and software developer (first and last) trust bits for the CA certificate.
  4. Click the Configure Firefox button. This automatically fills out all the negotiate settings in the Firefox configuration to use the FreeIPA domain settings.
    When the process is complete, a success box pops up saying that Firefox has been configured for single sign-on. For there, you are redirected to the FreeIPA web UI.
This can also be done manually:
  1. Open Firefox.
  2. Type about:config in the address bar.
  3. In the Search field, type negotiate to filter out the Kerberos-related parameters.
  4. On Fedora, enter the domain name for the URI parameters, including the preceding period (.) and set the gsslib parameter to true:
    network.negotiate-auth.using-native-gsslib true
    On Windows, set the trusted URIs and library path, and disable the built-in Microsoft Kerberos for authentication:
    network.auth.use-sspi false 
    network.negotiate-auth.gsslib: C:\Program Files\MIT\Kerberos\bin\gssapi32.dll
    On a 64-bit system, the library location is in C:\Program Files(x86)\MIT\Kerberos\bin\gssapi32.dll.
  5. Open the web UI by going to the fully-qualified domain name of the FreeIPA server such as Make sure that you can open the web UI and that there are no Kerberos authentication errors.
  6. Next, download the FreeIPA server's CA certificate from
  7. Select the first (Trust this CA to identify web sites) and third (Trust this CA to identify software developers) check boxes.

4.3.4. Using a Browser on Another System

It is possible to connect to the FreeIPA web UI from a system which is not a member of the FreeIPA domain. In this case, it is possible to specify a FreeIPA-specific Kerberos configuration file on the external (non-FreeIPA) machine before running kinit, and then the user can authenticate against the FreeIPA server domain.
This is especially useful there are multiple realms or overlapping domains across your infrastructure.
  1. Copy the /etc/krb5.conf file from the FreeIPA server.
    # scp /etc/krb5.conf


    Do not overwrite the existing krb5.conf file.
  2. On the external machine, set the terminal session to use the copied FreeIPA Kerberos configuration file:
    $ export KRB5_CONFIG=/etc/krb5_ipa.conf
  3. Configure Firefox on the external machine as in Section 4.3.3, “Configuring the Browser”.

4.3.5. Logging in with Simple Username/Password Credentials

If Kerberos authentication fails, then browser login also fails. That prevents access to the FreeIPA web UI. Simple authentication for the UI allows users to log in even if there are problems with the Kerberos service or if the system is outside the FreeIPA domain.
When the FreeIPA server cannot find a valid Kerberos ticket for the user attempting to log into the web UI, it splashes an error message. Since the preferred method of connecting to FreeIPA domain services (including the UI) is using Kerberos authentication, the error first says to renew the Kerberos credentials or to configure the browser to support Kerberos authentication.
The second part of the message offers the alternative of using simple authentication. The form-based authentication link opens a login page.
FreeIPA Form-Based Login Option
Figure 4.11. FreeIPA Form-Based Login Option

Then simply supply the UID and password for a configured FreeIPA user.
FreeIPA Password Prompt
Figure 4.12. FreeIPA Password Prompt

4.3.6. Using the UI with Proxy Servers

Proxy servers can be used to access the web UI without any additional configuration in FreeIPA.
Port forwarding is not supported with the FreeIPA server. However, because it is possible to use proxy servers with FreeIPA, an operation similar to port forwarding can be configured using proxy forwarding with OpenSSH and the SOCKS option. This is described in

4.3.7. Troubleshooting UI Connection Problems

If negotiate authentication is not working, turn on verbose logging for the authentication process to help diagnose the issue:
  1. Close all browser windows.
  2. In a terminal, set the new log levels for Firefox:
    export NSPR_LOG_MODULES=negotiateauth:5
    export NSPR_LOG_FILE=/tmp/moz.log
    This enables verbose logging and logs all information to /tmp/moz.log.
  3. Restart the browser from the same terminal window and attempt t .
Some of the common error messages and workarounds are in Table 4.2, “UI Error Log Messages”.
Table 4.2. UI Error Log Messages
Error Log Message Description and Fix
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken()
-1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure
No credentials cache found
There are no Kerberos tickets. Run kinit.
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken()
-1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure
Server not found in Kerberos database
This can occur when you have successfully obtained Kerberos tickets but are still unable to authenticate to the UI. This indicates that there is a problem with the Kerberos configuration. The first place to check is the [domain_realm] section in the /etc/krb5.conf file. Make sure that the FreeIPA Kerberos domain entry is correct and matches the configuration in the Firefox negotiation parameters. For example: = EXAMPLE.COM = EXAMPLE.COM
Nothing is in the log file. It is possible that you are behind a proxy which is removing the HTTP headers required for negotiate authentication. Try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then check the log file again.