How to tell mod_auth_kerb to do its job despite no "require valid-user"
I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this:
<Location /login/ >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbAuthoritative on
KrbVerifyKDC on
KrbAuthRealm D.ETHZ.CH
Krb5Keytab /etc/HTTP.keytab
KrbSaveCredentials on
RequestHeader set KERBEROS_USER %{REMOTE_USER}s
</Location>
My problem is that, without require valid-user
, mod_auth_kerb doesn't even try to authenticate the user and KERBEROS_USER
ends up being (null)
. If I add require valid-user
, the user is authenticated automatically if the browser supports it, but gets shown an ugly modal login form (ala HTTP Basic Auth) if the browser doesn't support Kerberos Negotiate.
What I want to achieve is that if a user visits /login/
, mod_auth_kerb tries to authenticate the user through Kerberos Negotiate. If that fails, a normal HTML login form will be presented to the user.
Is it possible to configure Apache/mod_auth_kerb in such a way?
Solution 1:
I've done this once when I built a simple single-signon tool (to merge Kerberos with mod_auth_tkt). It required a little bit of chicanery:
/webauth/login was protected by a
require valid-user
directive. If someone connected with valid Kerberos credentials, we got their username from REMOTE_USER, gave them an authentication cookie, and sent them on their way.-
The Apache configuration used an
ErrorDocument
request to redirect unauthenticated users to /webauth/require_authentication:ErrorDocument 401 /webauth/require_authentication
This would perform the following actions:
- Return a 401 result code (normally, ErrorDocuments eat your result code), and
- Present a login form.
The login form would do exactly what you expect: present a username/password form, validate same, and then give them the auth cookie.