What Apache module(s) are compatible with the Kerberos implementation in Mozilla 1.7b? A couple modules are available: mod_auth_kerb and mod_auth_gss_krb5.
So far I set up mod_auth_kerb and can login by entering my username and password in the browser, but it's not automatic. I haven't tried mod_auth_gss_krb5 because it seems a bit rough around the edges. What's the recommended way to configure your Apache web server for Kerberos authentication through Mozilla? Thanks.
The "negotiateauth" extension in Mozilla 1.7b uses GSSAPI for authentication in the same manner that Microsoft IE and IIS use it. By default, Mozilla 1.7b will *NOT* respond to server requests for "Negotiate" authentication unless the URL is "https://";. However, This can be overridden by modifying a couple of configuration options:
1. Choose "about:config" in the url bar. 2. look for the following options: network.negotiate-auth.delegation-uris network.negotiate-auth.trusted-uris
3. Set these to "http://,https://"; in order to allow it to be used with non-SSL protected sessions. It is highly desirable to protect any HTTP authentication with SSL to prevent session replay attacks.
This is not yet documented in the mozilla docs.
If you are using an IIS server with "integrated windows authentication" enabled, it should work, assuming you have already configured your local Kerberos to get tickets from the AD server.
If you want to set this up to work with Apache and the mod_auth_kerb module from sourceforge, set the "Krb5Keytab" directive correctly and set the "KrbMethodNegotiate" flag to set it up to use the GSSAPI authentication for whatever directory or page you are protecting.
Getting a standard GSSAPI module for Apache is the next step towards making Single Sign On for the web possible for everyone who doesn't want to run IIS.
-Wyllys ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
