Apache modules compatible with kerberos in 1.7b

Wyllys Ingersoll wyllys.ingersoll at sun.com
Tue Mar 23 21:49:48 EST 2004


Travis Crawford wrote:
> What Apache module(s) are compatible with the Kerberos implementation
> in Mozilla 1.7b? A couple modules are available: mod_auth_kerb and
> mod_auth_gss_krb5.
> 
> So far I set up mod_auth_kerb and can login by entering my username
> and password in the browser, but it's not automatic. I haven't tried
> mod_auth_gss_krb5 because it seems a bit rough around the edges.
> What's the recommended way to configure your Apache web server for
> Kerberos authentication through Mozilla? Thanks.


The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI
for authentication in the same manner that Microsoft IE and IIS
use it.  By default, Mozilla 1.7b will *NOT*
respond to server requests for "Negotiate" authentication
unless the URL is "https://".  However, This can be overridden
by modifying a couple of configuration options:

1. Choose "about:config" in the url bar.
2. look for the following options:
    network.negotiate-auth.delegation-uris
    network.negotiate-auth.trusted-uris

3. Set these to "http://,https://" in order to allow it to
    be used with non-SSL protected sessions.  It is highly
    desirable to protect any HTTP authentication with
    SSL to prevent session replay attacks.

This is not yet documented in the mozilla docs.

If you are using an IIS server with "integrated windows authentication"
enabled, it should work, assuming you have already configured
your local Kerberos to get tickets from the AD server.

If you want to set this up to work with Apache and the
mod_auth_kerb module from sourceforge, set the
"Krb5Keytab" directive correctly and set the "KrbMethodNegotiate"
flag to set it up to use the GSSAPI authentication for
whatever directory or page you are protecting.

Getting a standard GSSAPI module for Apache is the next
step towards making Single Sign On for the web possible
for everyone who doesn't want to run IIS.

-Wyllys


More information about the Kerberos mailing list