Kerberized Apache

Richard E. Silverman res at qoxp.net
Wed Feb 20 16:41:13 EST 2008


>>>>> "IL" == Ido Levy <IDOL at il.ibm.com> writes:

    IL> kerberos-bounces at mit.edu wrote on 20/02/2008 03:38:09:
    >> >
    >> > Hello All,
    >> >
    >> > I am looking for a way to enable users to get access to their
    >> space
    IL> through
    >> > the web browser.  > I would like to integrate it with our
    >> Kerberized SSO environment as
    IL> well.
    >> > I tried this module http://modauthkerb.sourceforge.net/ but I
    >> have > encounter some issues:
    >> >
    >> > 1) I didn't succeed in configuring SSO
    >> >
    >> > For each access through the web browser I have been asked for
    IL> user
    >> > and password although > I already had a valid ticket
    >> 
    >> Do you mean that you have a TGT, or that you acquired the necessary
    >> HTTP service ticket?

    IL> I referred to the TGT.

Then you have a basic problem: the browser is not trying or succeeding in
acquiring the service ticket.  If you're using Firefox, you have to
explicitly turn on GSSAPI authentication by setting
network.negotiate-auth.trusted-uris.  If this is turned on, trace the
Kerberos traffic (UDP/TCP port 88) and see what's happening.

    >> 
    >> Take a look at the Apache error log; anything there from
    >> mod_auth_kerb?>

    IL> Nothing special here.

There won't be; since you have no service ticket, it can't try
ticket-based authentication.

    >> > 2) The .htaccess file must be used to control access to each
    >> directory.
    >> >
    >> > For each space I would like to give an access I have to create >
    >> an .htaccess file and > add an entry in the apcahe configuration
    >> file as well
    >> >
    >> > Does anyone have experience with this issue ?  > Are there any
    >> other Kerberos modules for apache that better suits my > needs ?
    >> 
    >> -- Richard Silverman res at qoxp.net
    >> 
    >> ________________________________________________ Kerberos mailing
    >> list Kerberos at mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list