PHP Kerberos: Check for valid ticket/Access the ticket

0
votes

We have an apache2-server using Kerberos for website-authentication via Active Directory. On the website i use the Drupal-Framework and the unsupported "Kerberos Authentication"-Module (https://www.drupal.org/project/kerberos_authentication).

When a user wants to access the Website, she/he has to do the following:

  1. Open the browser & navigate to the website
  2. A popup appears asking for Kerberos/AD credentials. (enter image description here)
  3. Enter AD credentials
  4. Being allowed to proceed to the drupal-website.
  5. Access the website

The problem is in Part 5: The user still needs to fill in the login-form to get logged into drupal. The AD username and password are working here thanks to the Drupal-Kerberos-Module. But this forfeits Kerberos in the first place, since the users have to enter their credentials more than once.

How can i access the ticket the user was granted/that is stored in the browser (or wherever it is stored) using php? Or how to check if a user as a valid Kerberos ticket so that the user does not have to enter his login data twice and gets logged into drupal automatically, using php? (I am aware that this could require me to write my own drupal module)

1
phpdrupaldrupal-7kerberosmit-kerberos
You should be able to configure the browser to automatically send the credentials, which will avoid the need to enter them in a popup . I'm not sure this will help with point 5 in your question, but might be a good place to start.Chris Wheeler
All i need to accomplish is to check wether the ticket is valid. With mod_auth_kerb i get the principal name and his password in the $_SERVER[] global variable, but if i now take them and check them against the KDC again it defeats the purpose of kerberos in the first place, i think.Juarrow
I believe if the $_SERVER['REMOTE_USER'] is populated then the ticket has already been validated by mod_auth_kerb and is safe trust. Drupal can then obtain the Kerberos authenticated username from $_SERVER['REMOTE_USER'] and match that against it's own user database and then login the user to Drupal.Chris Wheeler

1 Answers

1
votes

Tangential to your question - though I've never managed to properly configure the module you mention, I've had great luck with the LDAP module. It also includes a submodule for SSO, which does exactly what you want, but using the Drupal login form as a fallback instead of the (in my opinion, ugly) popup shown in your example.

I hope this is helpful to you.