diff --git a/roles/ipa/server/files/ipa-rewrite.conf b/roles/ipa/server/files/ipa-rewrite.conf
index 7e0c29b3d6..9c71d921c2 100644
--- a/roles/ipa/server/files/ipa-rewrite.conf
+++ b/roles/ipa/server/files/ipa-rewrite.conf
@@ -20,3 +20,9 @@ RewriteEngine on
 
 # Rewrite for plugin index, make it like it's a static file
 RewriteRule ^/ipa/ui/js/freeipa/plugins.js$    /ipa/wsgi/plugins.py [PT]
+
+# The following disables the annoying kerberos popup for browsers on windows
+RewriteCond %{HTTP_COOKIE} !ipa_session
+RewriteCond %{HTTP_REFERER} ^(.+)/ipa/ui/$
+RewriteRule ^/ipa/session/json$ - [R=401,L]
+RedirectMatch 401 ^/ipa/session/login_kerberos