i implement an intranet CMS (Joomla 2.5) in a multidomain environment, logging them in with kerberos against Windows AD -> SSO. SSO with kerberos works perfect for the integrated domains, also the SSO to CMS.
my problem: around 10% of our users aren't in any domain (mostly sale-stuff…), so they fail to authenticate with kerberos against Windows AD. But we want to provide access to intranet to those users also, even if they can't be logged on to CMS.
my question: is there a way to redirect those users to the CMS directory as a fallback?
my apache config so far:
<VirtualHost *:80>
ServerAdmin someone@mydomain.com
ServerName intranet.company.local
DocumentRoot /opt/joomla/jupgrade
<Directory /opt/joomla/jupgrade>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
AuthType Kerberos
AuthName "Intranet Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN1 DOMAIN2 DOMAIN3 DOMAIN4 DOMAIN5
KrbServiceName HTTP
Krb5KeyTab /etc/apache2/kerberos_myserver_combined.keytab
require valid-user
#ErrorDocument 401 /noauth/401.hmtl
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
It is not possible to join those users into one of the domains. There is a project running for a one-domain-solution but this will take some time.
Ubuntu 12.04 and Apache 2.2 as the webserver environment.
Thanks in advance for any suggest!
Best Answer
You can use a custom error response to redirect not authorized users to another URL or another directory: