Is there a way for Apache to fall back to a different authentication method if Kerberos authentication (for some reason) fails? The order of the authentication methods should be:
- Kerberos
- Active Directory
- RSA token
The RSA token authentication is used by external parties who do not have AD accounts.
Let me know if you need more info. Thanks.
My current config is as follows:
<Directory "/path/to/directory">
AuthType Kerberos
AuthName "Please provide credentials to log in"
KrbAuthoritative off
AuthzLDAPAuthoritative off
AuthBasicAuthoritative off
AuthBasicProvider this-sso this-ad this-radius
Require valid-user
SSLRequireSSL
</Directory>
Authentication aliases are below:
<AuthnProviderAlias kerberos this-sso>
KrbAuthRealms THIS.LOCAL
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbDelegateBasic on
Krb5Keytab /etc/apache2/this.keytab.key
KrbServiceName HTTP
KrbVerifyKDC off
</AuthnProviderAlias>
<AuthnProviderAlias ldap this-ad>
Include /etc/apache2/.ldapbinddn
AuthLDAPURL "ldaps://srv1.this.local srv2.this.local:636/OU=DIR,DC=this,DC=local?sAMAccountName?sub?(objectClass=user)"
</AuthnProviderAlias>
<AuthnProviderAlias xradius this-radius>
AuthXRadiusAddServer "rsasrv1.this.local:1812" "Shared_key_here"
AuthXRadiusTimeout 7
AuthXRadiusRetries 2
AuthXRadiusRejectBlank on
</AuthnProviderAlias>
Best Answer
The website of the mod_auth_kerb module is somewhat unclear about this, stating at one point that
AuthType
must be set to Kerberos, but also implying that "if your AuthType is Basic" that it will essentially use the username/password pair thatAuthType Basic
provides to check against your Kerberos server.The other directives you have for Kerberos, specifically
KrbDelegateBasic on
, don't seem to be documented at the sourceforge page for this module, making me wonder which version of this module you're using.But, putting that aside for the moment, unless the mod_auth_kerb module is somehow able to hand along the values it gets to the next authentication module in the chain in a way that the next module can understand, this likely won't work.
As a test, I'd change
AuthType
toBasic
,KrbMethodNegotiate
tooff
, andKrbMethodK5Passwd
toon
, and see if that changes the behavior at all. This would hopefully cause mod_auth_kerb to gather the login data in a way that the other modules can understand, prevent the authentication method from being negotiated, and attempt to gather a username/password rather than a ticket.The negotiation part is is important, since that's done for each connection, and thus, if the client browser negotiates a method that screws up the next authentication method, it won't ever get past the Kerberos auth.
I will say that I've never configured Kerberos auth on Apache, so this is somewhat of a guess. I have done LDAP falling back to file-based Basic auth, though, so I know the fall-through mechanism works, in general.