Handling Failed Kerberos calls

We have configured Kerberos in Documentum REST 7.3. For requests to REST, where users exists in AD, everything works fine. User (through some client) accesses REST and is automatically logged in.

Now, consider a scenario where user accessing the REST services does not exist in AD. The expectation would be that some kind of error message is send back in response so that it can be appropriately handled by the client.

However, the behavior we are seeing is as follows -

1. User (who does not have exist in AD/Documentum) calls REST service, say http://myserver/dctm-rest/repositories/myrepo/currentuser.xml

2. Browser shows a page can't be displayed message to the User.

3. On looking at the Network tab, it seems the request has been aborted. This is how the request/response looks like

PW1.JPG.jpg

PW2.JPG.jpg

Do we need to do any changes to Documentum REST so that instead of aborting the request, it gives some error message which can be handled by the client. We are trying to implement behavior very similar to what D2 does, that is, if user is not able to login using Kerberos, it redirects user to the login page. But for that we need a way to find that Kerberos login did not succeed (either due to user not existing in AD/Documentum or some other reason).

PW1.JPG.jpg

PW2.JPG.jpg

Find more posts tagged with

Note:

If there are Accepted Answers, those will be shown by default. You can switch to 'All Replies' by selecting the tab below.

Accepted answers

abc123

The web browser is not a REST client, so it does not handle the error response friendly. "The page can't be displayed" is promoted by IE, not returned by the REST API response.

I see from your screenshot, the response is 401 code with WWW-Authenticate: Negotiate header. That's what the client should expect from the Kerberos authentication error. Did you check the response body from the debugger? It should give some readable messages. To make the login error behave user-friendly, you need to write some JavaScript code or other client code to handle the error elegantly in your UI. The REST API just does the work to return the right status / messages for your request.

All comments

abc123

The web browser is not a REST client, so it does not handle the error response friendly. "The page can't be displayed" is promoted by IE, not returned by the REST API response.

AnshulK

Thanks William.

I do have Angular on the client to handle this error. Problem is that, after the request to dctm-rest has been fired, the code block which should be executed on getting a response/error never gets executed. It keeps on waiting but doesn't get anything back. However, if the response 200, this code block gets executed just fine.

The response body is empty as well in case of the error posted above.

I was expecting that if server returns 401/Negotiate, browser would pop up the login dialog that it normally shows in case credentials are not passed. But it seems that is not a correct assumption.

abc123

This might because the browser promotes the error page prior to your JS code for this specific status code & response header. Please try to add below custom header to your request which will suppress the default error response header.

DOCUMENTUM-CUSTOM-UNAUTH-SCHEME:true