I've configured Apache to use mod_auth_kerberos
. So far everything is working nicely for client thats connected to Active Directory and have their browser to NTLM enabled.
When clients are not in the domain or the browser configured not to authenticate automatically, they are being prompted by 2 login prompt.
The first login prompt is blank and the second one is the oen that we configured
First Login prompt:
Second Login prompt:
From the log ( first authentication) :
[Wed Jan 06 15:47:29 2010] [debug] src/mod_auth_kerb.c(1684): [client x.x.x.x] [pid 2562] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
In the first loging prompt , I can put any text for username and password. Once the first login form submited, it will ask for the 2nd login prompt.
Apache have following config :
<Directory /web/apache2/htdocs>
AllowOverride All
AuthType Kerberos
AuthName "Staff Access ONLY Kerb-Auth"
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/httpd/conf.d/example.ktab
Allow from localhost
Require valid-user
<Directory>
What could be the cause of the first authentication and how can I get rid of them ?
Only IE will prompt you twice. For example Firefox will only present the configured login prompt. To solve this you will have to add the specific website to your "local intranet" or to your "trusted sites" (Internet Options -> Security tab -> "Local Intranet"). I'm not sure anymore which one but I thought it was the "local intranet".