How to tell mod_auth_kerb to do its job despite no "require valid-user"

apache-2.2 kerberos mod-auth-kerb

5,956

I've done this once when I built a simple single-signon tool (to merge Kerberos with mod_auth_tkt). It required a little bit of chicanery:

/webauth/login was protected by a require valid-user directive. If someone connected with valid Kerberos credentials, we got their username from REMOTE_USER, gave them an authentication cookie, and sent them on their way.
The Apache configuration used an ErrorDocument request to redirect unauthenticated users to /webauth/require_authentication:

ErrorDocument 401 /webauth/require_authentication

This would perform the following actions:
- Return a 401 result code (normally, ErrorDocuments eat your result code), and
- Present a login form.
The login form would do exactly what you expect: present a username/password form, validate same, and then give them the auth cookie.

5,956

Related videos on Youtube

Author by

Benjamin Wohlwend

Updated on September 17, 2022

Comments

Benjamin Wohlwend over 1 year
I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this:
```
<Location /login/ >
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate on
    KrbAuthoritative on
    KrbVerifyKDC on
    KrbAuthRealm D.ETHZ.CH
    Krb5Keytab /etc/HTTP.keytab
    KrbSaveCredentials on
    RequestHeader set KERBEROS_USER %{REMOTE_USER}s
</Location>
```
My problem is that, without require valid-user, mod_auth_kerb doesn't even try to authenticate the user and KERBEROS_USER ends up being (null). If I add require valid-user, the user is authenticated automatically if the browser supports it, but gets shown an ugly modal login form (ala HTTP Basic Auth) if the browser doesn't support Kerberos Negotiate.

What I want to achieve is that if a user visits /login/, mod_auth_kerb tries to authenticate the user through Kerberos Negotiate. If that fails, a normal HTML login form will be presented to the user.

Is it possible to configure Apache/mod_auth_kerb in such a way?
Sam Halicke over 13 years

+1 for an interesting solution.
Benjamin Wohlwend over 13 years

great, this works perfectly!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?

How to troubleshoot crashes detected by Google Play Store for Flutter app

Cupertino DateTime picker interfering with scroll behaviour

Why does awk -F work for most letters, but not for the letter "t"?

Flutter change focus color and icon color but not works

How to print and connect to printer using flutter desktop via usb?

Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0

Flutter Dart - get localized country name from country code

navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage

Android Sdk manager not found- Flutter doctor error

Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)

How to change the color of ElevatedButton when entering text in TextField

Related

Apache 2.2 mod_auth_kerb SSO stopped working

apache using mod_auth_kerb always asks for the password twice

Apache2, Kerberos: gss_accept_sec_context() failed: An unsupported mechanism was requested

mod_auth_kerberos "Unspecified GSS failure"

Apache not finding the kerberos principal in keytab file

How can I disable Kerberos authentication for only the root of my site?

Problems set-up Single Sign-On using Kerberos authentication

LDAP Auth proxy adding headers according to LDAP groups

Apache SSO with Active Directory and providing authorization based on groups

How to avoid frequent KVNO increases, when using Apache HTTPD with mod_auth_kerb talking to AD?