Reputation: 78
Why does a browser in a different domain not respond at all to "WWW Authenticate : Negotiate" header sent by mod_auth_kerb?
I have implemented SSO through mod_auth_kerb in our apache-active directory environment and it works just as expected. However the following knowledge is bugging me :
I requested a Kerberos protected page from two client machines, one user belonged to the Kerberos-setup domain and the other user belonged to some other domain.
I then compared the HTTP packets on the two machines. On both the machines, after the request for the Kerberos protected page is sent, the server responds with the following HTTP packet :
HTTP/1.1 401 Authorization Required
Date: Wed, 05 Sep 2012 14:25:20 GMT
Server: Apache WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Content-Length: 60
Connection: close
Content-Type: text/html; charset=iso-8859-1
However, after the above response from the server the client machine's browser belonging to the Kerberos-setup domain responds with a WWW-Authenticate : Negotiate 'token', whereas the other client browser(user belonging to some other domain) does not respond at all.
Now my understanding is, that the client belonging to the other domain should have also responded with its own TGT+Session key token, which the active directory should have rejected. But why this client does not respond at all to the server's WWW-Authenticate : Negotiate challenge is beyond my logic. What is even more confusing is that the server's HTTP response(given above), does not contain any information about the domain it is linked to.
So on what basis is the client browser belonging to the correct domain decide that it has to respond to the server's WWW-Authenticate : Negotiate challenge, and on what basis does the client belonging to some other domain decide not to respond to the same ?
Note : Both the client machines have Windows 7 and active directory is a Windows 2008 server.
I am trying to understand mod_auth_kerb's implementation of SSO, and this particular knowledge is key to that.
Upvotes: 5
Views: 2501
Answers (1)
Reputation: 18415
The module has the option KrbMethodK5Passwd turned on. It sends a Basic header to collect you Kerberos credentials. This is pointless for a non-domain client. Disable this option.
There is a hierarchy of strengths of auth mechanisms, the browser is obliged to choose the best. This is: Negotiate, Digest, NTLM, Basic.
Upvotes: 0
Related Questions
- Authentication issues with WWW-Authenticate: Negotiate
- WWW-Authenticate not working with Kerberos (only NTLM)
- Kerberos authorization doesn't work on Chrome and FireFox, but works on IE
- Browser Hangs when receive WWW-Authenticate: Negotiate
- WWW-Authenticate uses NTLM and not Kerberos
- chrome and firefox browsers not sending kerbros token in WWW-Authenticate header to Negotiate
- Mod_auth_kerb: optional Kerberos Negotiation
- Browser sends NTLM ticket instead of Kerberos ticket
- Apache2 - working with mod_auth_kerb to enable "don't require logging in, but allow it"
- Kerberos authentication using mod_auth_kerb against ActiveDirectory and multiple Realms