Running SPNEGO Kerberos in parallel with username/password authentication

1
votes

I would like to support both Kerberos and standard username+password authentication (via web form) in parallel. This is works fine, when the client is in the domain. The server returns the HTTP header "WWW-Authenticate: Negotiate" and sends an HTTP error 401 (unauthorized), as required by the Kerberos protocol, and the browser client then continues by sending the required information. But when the login page is accessed from outside the domain, the process stops on the client-side after receiving the 401.

Is there a way to run these two authentication methods in parallel? (same question here, without a conclusive solution: Optional SPNEGO Kerberos authentication)

1
authenticationkerberosspnego
Let me see if I got this right. "when the login page is accessed from outside the domain, the process stops on the client-side after receiving the 401." That's by design. Create a cross-realm trust between the domains, and Kerberos SSO will work for everyone. Why would you want to fall back to a less secure method?T-Heron
The system needs to be accessible both by internal users (who would authenticate using Kerberos) and external users (with username and password). Both user groups should use the same URL to log in.martin_wun
For your external users, do they also exist within the directory, but they just coming in from outside the network?T-Heron
The external users don't exist in the directory. They have accounts set up with username and password in the system they are meant to access.martin_wun
Hmmm. What type of web server are you running, and what OS is it running on?T-Heron

1 Answers

0
votes

You are better off implementing the same approach as mod_auth_gssapi, it offers Basic also and performs the auth loop internally as if your client is sending the SPNEGO token.