mod_auth_kerb and kerberos

Henry B. Hotz hotz at
Wed Sep 7 21:04:35 EDT 2005

5.0-rc6 works fine with Heimdal 0.6.x and MIT 1.3.x.  I published a  
patch for Heimdal 0.7 on one of the Heimdal lists a bit ago.  I've  
since patched it to work with MIT 1.4.x, but have further modifications  
to make.  If you can prove you're a US citizen I can send you the mods.  

As best I understand the situation, mod_auth_kerb was the testbed for  
open-source re-implementation of Microsoft's SPNEGO on the server side.  
  Since then SPNEGO has been added to the gssapi implementations of both  
Heimdal and MIT distributions, so that code can be deleted.

Furthermore I *think* there have been caching improvements in both IE  
and the Mozilla negotiate module so you don't need the code to defeat  
MIT's replay cache either.  At any rate a reload from Firefox works  

The only problem I'm seeing with all that crud (er. stuff) deleted is  
if you point Apple's Safari at it the SPNEGO fails (which is  
appropriate), but it doesn't fall back to a basic-auth prompt.

If I'm missing something, or if I'm misrepresenting something, someone  
please let me know.

On Sep 6, 2005, at 9:02 AM, krbdev-request at wrote:

> Date: Mon, 05 Sep 2005 20:50:32 -0400
> From: Phillip Ames <phillip.ames at>
> To: krbdev at
> Subject: mod_auth_kerb and kerberos
> Message-ID: <431CE7D8.7030800 at>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Precedence: list
> Message: 2
> Hi,
> I'm using Kerberos version 1.4.1 in tandem with mod_auth_kerb version
> 5.0 and apache 2.0.54 to authenticate users on a web interface.  All of
> these configurations happily hummed away using older versions of
> kerberos and mod_auth_kerb, but since upgrading, I am not having much
> luck.  The error message I receive in the apache logs is:
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list