Apache modules compatible with kerberos in 1.7b
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Mar 23 21:49:48 EST 2004
Travis Crawford wrote:
> What Apache module(s) are compatible with the Kerberos implementation
> in Mozilla 1.7b? A couple modules are available: mod_auth_kerb and
> mod_auth_gss_krb5.
>
> So far I set up mod_auth_kerb and can login by entering my username
> and password in the browser, but it's not automatic. I haven't tried
> mod_auth_gss_krb5 because it seems a bit rough around the edges.
> What's the recommended way to configure your Apache web server for
> Kerberos authentication through Mozilla? Thanks.
The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI
for authentication in the same manner that Microsoft IE and IIS
use it. By default, Mozilla 1.7b will *NOT*
respond to server requests for "Negotiate" authentication
unless the URL is "https://". However, This can be overridden
by modifying a couple of configuration options:
1. Choose "about:config" in the url bar.
2. look for the following options:
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
3. Set these to "http://,https://" in order to allow it to
be used with non-SSL protected sessions. It is highly
desirable to protect any HTTP authentication with
SSL to prevent session replay attacks.
This is not yet documented in the mozilla docs.
If you are using an IIS server with "integrated windows authentication"
enabled, it should work, assuming you have already configured
your local Kerberos to get tickets from the AD server.
If you want to set this up to work with Apache and the
mod_auth_kerb module from sourceforge, set the
"Krb5Keytab" directive correctly and set the "KrbMethodNegotiate"
flag to set it up to use the GSSAPI authentication for
whatever directory or page you are protecting.
Getting a standard GSSAPI module for Apache is the next
step towards making Single Sign On for the web possible
for everyone who doesn't want to run IIS.
-Wyllys
More information about the Kerberos
mailing list