0

We have a system that's exposed to internal users (who have Kerberos authentication) and to 3rd parties that can log in via a traditional username/password form. What we've currently done is to have multiple servers running, some that are Kerberized with say a.mysite.com and some that have the forms authentication running on b.mysite.com.

What I'd like, is to have a single URL that we share with both groups and have the server determine if a Kerberos token is available. If it is, then use that, otherwise redirect to the login page. Ideally, users remain on "myproject.mysite.com" the whole time... but if we need to (automatically) redirect them to a.mysite.com or b.mysite.com based on whether they have that token that's OK.

Thoughts?

Oli
  • 1,031
  • 8
  • 20
  • What technology stack are you using? Are both types of user authenticating against the same authentication server ultimately? What type of authentication server are you using? – Scott Stevens Jan 09 '13 at 17:48
  • Our site is a ruby/rails stack running on Apache (through Passenger) and the credential stores are different. – Oli Jan 09 '13 at 18:20

1 Answers1

0

This is very easy to achieve. There are two options for you.

1: Send back to the client

WWW-Authenticate: Negotiate
WWW-Authenticate: Kerberos
WWW-Authenticate: Basic (or better yet Digest)

The client will choose the best method available for him.

2: If you really require form-auth, send

WWW-Authenticate: Negotiate

and present the form as the 401 page. Let the form post to an unprotected controller and perform form auth.

You can use mod_auth_kerb or mod_auth_gss for Apache HTTPd and examine $REMOTE_USER after successful auth.

Please keep in mind that if want some users to use Kerberos auth, they must be part of your network/domain with KDC accounts and proper DNS entries.

Michael-O
  • 18,123
  • 6
  • 55
  • 121