Fallback authentication if mod_auth_kerb fails

apache-2.2 active-directory kerberos single-sign-on rsa
8,670

The website of the mod_auth_kerb module is somewhat unclear about this, stating at one point that AuthType must be set to Kerberos, but also implying that "if your AuthType is Basic" that it will essentially use the username/password pair that AuthType Basic provides to check against your Kerberos server.

The other directives you have for Kerberos, specifically KrbDelegateBasic on, don't seem to be documented at the sourceforge page for this module, making me wonder which version of this module you're using.

But, putting that aside for the moment, unless the mod_auth_kerb module is somehow able to hand along the values it gets to the next authentication module in the chain in a way that the next module can understand, this likely won't work.

As a test, I'd change AuthType to Basic, KrbMethodNegotiate to off, and KrbMethodK5Passwd to on, and see if that changes the behavior at all. This would hopefully cause mod_auth_kerb to gather the login data in a way that the other modules can understand, prevent the authentication method from being negotiated, and attempt to gather a username/password rather than a ticket.

The negotiation part is is important, since that's done for each connection, and thus, if the client browser negotiates a method that screws up the next authentication method, it won't ever get past the Kerberos auth.

I will say that I've never configured Kerberos auth on Apache, so this is somewhat of a guess. I have done LDAP falling back to file-based Basic auth, though, so I know the fall-through mechanism works, in general.

Share:
8,670

Related videos on Youtube

Ritesh Bansal
Author by

Ritesh Bansal

Updated on September 17, 2022

Comments

  • Ritesh Bansal
    Ritesh Bansal over 1 year

    Is there a way for Apache to fall back to a different authentication method if Kerberos authentication (for some reason) fails? The order of the authentication methods should be:

    • Kerberos
    • Active Directory
    • RSA token

    The RSA token authentication is used by external parties who do not have AD accounts.

    Let me know if you need more info. Thanks.

    My current config is as follows:

    <Directory "/path/to/directory">
  AuthType Kerberos
  AuthName "Please provide credentials to log in"
  KrbAuthoritative off
  AuthzLDAPAuthoritative off
  AuthBasicAuthoritative off
  AuthBasicProvider this-sso this-ad this-radius
  Require valid-user
  SSLRequireSSL
</Directory>

    Authentication aliases are below:

    <AuthnProviderAlias kerberos this-sso>
  KrbAuthRealms THIS.LOCAL
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbDelegateBasic on
  Krb5Keytab /etc/apache2/this.keytab.key
  KrbServiceName HTTP
  KrbVerifyKDC off
</AuthnProviderAlias>

<AuthnProviderAlias ldap this-ad>
  Include /etc/apache2/.ldapbinddn
  AuthLDAPURL "ldaps://srv1.this.local srv2.this.local:636/OU=DIR,DC=this,DC=local?sAMAccountName?sub?(objectClass=user)"
</AuthnProviderAlias>

<AuthnProviderAlias xradius this-radius>
  AuthXRadiusAddServer "rsasrv1.this.local:1812" "Shared_key_here"
  AuthXRadiusTimeout 7
  AuthXRadiusRetries 2
  AuthXRadiusRejectBlank on
</AuthnProviderAlias>
  • Ritesh Bansal
    Ritesh Bansal about 13 years
    Thanks, but no dice on those suggestions. Fallback from LDAP to RSA works (they use basic auth). If only there was a way to mix two AuthTypes... BTW, I'm using v5.4 of mod_auth_kerb from Sourceforge.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache 2.2 mod_auth_kerb SSO stopped working
Enabling AES-encrypted single sign-on to Apache in a Win2008 domain
SSO with Apache and Kerberos issues
Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect
problems creating a keytab file on win server
Apache kerberos authentication to Active Directory not happening. (Is KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN related?)
Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested
Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory
Apache mod_auth_kerb and LDAP user groups
Apache SSO through Kerberos using Machine Account