Fallback auth #324
Comments
|
If these are windows clients the pop-up is not something you can control from mod_auth_gssapi because it is done on windows by the system libraries when they see a Negotiate auth and they do not have local credentials they think they can use to auth to the server. The only reasonable workaround I found so far is to provide an initial page with two buttons, one for login with SSO and won for password login, like the ones you see for many public websites .. |
|
The SSO parts are Domain added Windows Machines with Domain Users, the other half are neither Domain Machines nor Domain Users ("guests"). As soon as i use GssapiConnectionBound Off and GssapiNegotiateOnce On the SSO part breaks completly and everything results in a 401, but with no popup. So i hoped there is something i did wrong there |
Hi,
i know this issue was already opened several times but im trying now for several days and can't get it to work.
Like already suggested i created a single sign on route which only tries to do the krb5 authentification and have a fallback login route for manual login via php.
The Web application is build with Laravel Livewire.
The Webserver is Ubuntu 22.04 and DC Windows Server with Active Directory.
My Apache Config looks like this:
Site Config:
<Directory /var/www/html/workflow2/public> #.htaccess AllowOverride All #LDAP Include /etc/apache2/conf-available/ldap.conf #Sessions Include /etc/apache2/conf-available/sessions.conf #GssApi Include /etc/apache2/conf-available/gssapi.conf #Set Keytab File GssapiCredStore keytab:/etc/sr-webjs-01.keytab </Directory> LogLevel info auth_gssapi:debuggssapi Config:
#GSSAPI Config GssapiConnectionBound On GssapiUseSessions On AuthType GSSAPI GssapiBasicAuth Off GssapiPublishMech On GssapiAllowedMech krb5 GssapiLocalName On AuthName ""Session Config:
<IfModule mod_session.c> Session on </IfModule> <IfModule mod_session_cookie.c> SessionCookieName gssapi_session path=/;httponly;secure; </IfModule>.htaccess:
`
GssapiConnectionBound Off
Options -MultiViews -Indexes
When i enable GssapiNegotiateOnce my Apache logs following errors:
[Wed Jan 22 14:45:04.389423 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(904): [client 10.10.10.15:53315] URI: /sso, no main, no prev, referer: [Wed Jan 22 14:45:04.389519 2025] [auth_gssapi:info] [pid 2935162] [client 10.10.10.15:53315] NO AUTH DATA Client did not send any authentication headers, referer: [Wed Jan 22 14:45:04.389597 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer: [Wed Jan 22 14:45:04.389661 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer: [Wed Jan 22 14:45:04.497157 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(904): [client 10.10.10.15:53315] URI: /sso, no main, no prev, referer: [Wed Jan 22 14:45:04.497579 2025] [auth_gssapi:error] [pid 2935162] [client 10.10.10.15:53315] INTERNAL ERROR Mechanism needs continuation but neither GssapiConnectionBound nor GssapiUseSessions are configured, referer: [Wed Jan 22 14:45:04.497662 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer: [Wed Jan 22 14:45:04.497751 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer:As soon i set GssapiNegotiateOnce to Off SSO works like a charm.
I want to achieve a SSO / Guest access but without the Browser Auth Popup - so if no sso is available it should fallback to /login without any popups.
Kind regards
The text was updated successfully, but these errors were encountered: