Kerberos/Apache receiving Active Directory user/password in plain text
Michael Ströder
michael at stroeder.com
Fri Oct 30 16:41:21 EDT 2009
LUISRAMOS wrote:
> We have a unix web server with Apache were we installed kerberos to
> implement single sign on.
I guess you're using mod_auth_kerb?
> The idea with this is to have the ability of
> autenticating through the Windows Active Directory once not needing to log
> again in the unix box. After the setup, the autentication works. When we
> log in to the unix server, a popup window asks for user/pwd. After entering
> user/pwd the credentials are autenticated against the windows active
> directory and the access to the unix/apache box is granted. However, what
> we want is to avoid this login popup. We noticed that when the popup window
> is displayed the following message is seeing in the popup: "Warning: This
> server is requesting that your username and password be sent in an insecure
> manner (basic authentication without a secure connection). Looks like the
> internet browser is sending the credentials in plain text to the unix box.
>
> Anybody has an idea on how we can configure Kerberos, or any other component
> to avoid this popup window.
Set "KrbMethodK5Passwd off" in httpd.conf.
See also: http://modauthkerb.sourceforge.net/configure.html
Ciao, Michael.
--
Michael Ströder
E-Mail: michael at stroeder.com
http://www.stroeder.com
More information about the Kerberos
mailing list