I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this:
<Location /login/ >
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbAuthoritative on
KrbVerifyKDC on
KrbAuthRealm D.ETHZ.CH
Krb5Keytab /etc/HTTP.keytab
KrbSaveCredentials on
RequestHeader set KERBEROS_USER %{REMOTE_USER}s
</Location>
My problem is that, without require valid-user, mod_auth_kerb doesn't even try to authenticate the user and KERBEROS_USER ends up being (null). If I add require valid-user, the user is authenticated automatically if the browser supports it, but gets shown an ugly modal login form (ala HTTP Basic Auth) if the browser doesn't support Kerberos Negotiate.
What I want to achieve is that if a user visits /login/, mod_auth_kerb tries to authenticate the user through Kerberos Negotiate. If that fails, a normal HTML login form will be presented to the user.
Is it possible to configure Apache/mod_auth_kerb in such a way?
I've done this once when I built a simple single-signon tool (to merge Kerberos with mod_auth_tkt). It required a little bit of chicanery:
/webauth/login was protected by a
require valid-userdirective. If someone connected with valid Kerberos credentials, we got their username from REMOTE_USER, gave them an authentication cookie, and sent them on their way.The Apache configuration used an
ErrorDocumentrequest to redirect unauthenticated users to /webauth/require_authentication:ErrorDocument 401 /webauth/require_authentication
This would perform the following actions:
The login form would do exactly what you expect: present a username/password form, validate same, and then give them the auth cookie.