How to setup apache redirect or custom 401 document on Kerberos SSO login failure

Question

I have a working Kerberos SSO setup, I use apache and jboss with mod_jk. Apache is protecting (by kerberos) the auto-login.htm page with the following configuration:

<Location /auto-login.htm>  
AuthType           Kerberos  
AuthName           "Kerberos Active Directory Login"  
KrbMethodNegotiate on  
KrbMethodK5Passwd  on  
KrbAuthRealms      KRB.SOMEDOMAIN.COM  
KrbServiceName     HTTP/server.somedomain.com@KRB.SOMEDOMAIN.COM  
Krb5Keytab         /etc/krb/krb5.keytab  
KrbVerifyKDC       on  
KrbAuthoritative   on  
require            valid-user  
#ErrorDocument 401  /login.htm  
</Location>

This works 100% and I am able to login with Kerberos/SSO and read the remote_user variable in my java application.

Now the problem is that I want to redirect to a unprotected login.htm if the user was unable to log in via Kerberos/SSO. The solution I had in mind was to set a 401 ErrorDocument, however when I set this up by uncommenting the #ErrorDocument 401 in the code above it always redirects to login.htm as returning a 401 to request user credentials is inherently part of the Kerberos/SSO authentication process. Thus the result is users always end up at login.htm and never completes the Kerberos/SSO login process.

Any help or alternative solution will be appreciated.

Thanks in advance
Pierre

Answer 1

In order not to interrupt the Kerberos/SSO authentication process, use the following:

ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"

This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.

Answer 2

I believe you want ErrorDocument 403. 401 is returned when the server asks for authentication, 403 is returned when the client fails to provide authentication. This is at least true when setting up x.509 authentication.

Answer 3

You could also do this:

ErrorDocument 401 /redirect-to-login
RewriteRule ^/redirect-to-login$ /login.html [R]