Basic authentication fallback

[andreas83]

Is there a way to redirect a user to a certain page instead of showing the basic authentication dialog while not authenticated?
i tried already the ErrorDocument 401 directive, but this redirected all users to the given page.

in mod_auth_kerb there was the possibility to use Satisfy Any to tell the apache to do the kerberos authentication and to allow access even the auth failed.
source : https://www.jeffgeerling.com/blogs/jeff-geerling/apache-kerberos-authentication

is there something similar in mod_auth_gssapi?

best kind of regards
andreas

[simo5]

The best way to handle this is to create an authentication location (say /path/login/page) which is the only one you protect with mod_auth_gssapi.

In that location you will use ErrorDocument 401 to show a form to be shown as alternative authentication if krb auth fails.

All browsers will do krb negotiation if they are capable or show the body of the 401 document if not.

Either auth method should end up setting a cookie to carry auth into other locations (via SessionCookie module for example) and redirect to the actual application location on success.

You can see an example of this in the freeIPA project.

In the protected location you will want to set the following directives probably:

#disable basic auth
GssapiBasicAuth Off

#use sessions so you can auth to other parts of the app
GssapiUseSessions On
Session On
SessionCookieName gssapi_session path=/whatever;httponly;secure;

#avoid some browsers to try their own "NTLM" dialog
GssapiNegotiateOnce On

HTH.

[UBA-NE]

Hello,

I'm facing the same problem. When a visitor visits our page, and they are in our Kerberos realm, they automatically get logged in. When a
vistor is outside the Kerberos realm, the basic-auth browser popup gets displayed. Is there a way to deactivate this mechanism with an Apache config? We have a login-page where users can manually log in, so we don't want/need the browser Popup. I believe this was possible with KrbMethodK5Passwd off with the old Apache Kerberos module.

Ideally, the visitor would be redirected to our manual login page instead of showing the popup

Any help would be much appreciated!
uba

[simo5]

Have you tried the options I mentioned in the previous reply? Did they fail to work?

[UBA-NE]

Hi,

thank you for the quick response!

does not seem to have any effect, basic-auth popup still appears
GssapiBasicAuth Off

does work, but I first need to press escape when the basic-auth popup appears
ErrorDocument 401 /(manual-login

also seems to have an effect, the redirect works directly without the need to press escape, but the popup still appears...
GssapiNegotiateOnce On

[simo5]

Is this with a Microsoft web Browser like Edge?
OR some other browser?

[UBA-NE]

yes, tested on chrome and microsoft edge. Firefox doesn't show auth popup...

[simo5]

Please look at this one: #245

At the moment I am not a aware of a way to prevent this.

However you can definitely allow people to access even when not authenticated by dropping the "Require valid-user" directive.

[UBA-NE]

<Location "/kerberos-login">
	SSLRequireSSL
	AuthType GSSAPI

	AuthName "Private Area"

	GssapiBasicAuth Off

	# The realm used for Kerberos, you will want to
	# change this to your actual domain
	GssapiCredStore keytab:/etc/apache2/kr5b.keytab

	# You can also try to set the explicit name instead of the keytab,
	# this will lookup the keytab from its default location /etc/kr5b.keytab
	#GssapiCredStore HTTP/openproject.local@TEST.LOCAL
	# Disable SSL
	GssapiSSLonly           Off

	# Use the local user name without the realm.
	# When off: gets sent logins like "user1@EXAMPLE.com"
	# When on:  gets sent logins like "user1"
	GssapiLocalName         On

	# Allow kerberos5 login mechanism
	GssapiAllowedMech krb5

	#avoid some browsers to try their own "NTLM" dialog
	GssapiNegotiateOnce On

	#use sessions so you can auth to other parts of the app
	GssapiUseSessions On
	Session On
	SessionCookieName gssapi_session path=/;httponly;secure;
	GssapiSessionKey key:RGFzIGlzdCBpcmdlbmRlaW4ga3VyemVyIFRleHQu

	# Apache directive to ensure a user is authenticated
	Require valid-user
	ErrorDocument 401 /manual-login
</Location>