Recent changes to feature-requests

#14 Support of NTLM

Nick Pierpoint — Sat, 17 Jun 2017 14:33:36 -0000

Did this ever progress? Any hope of Kerberos falling back to NTLMv2 authentication?

Add support for Nego2

Mathieu PARENT — Mon, 23 Jul 2012 11:18:34 -0000

Hi,

Please add support for MS-N2HT [ref]. This will allow conection from Internet Explorer to fail, without showing a password popup (because trying NTLM).

Regards

[ref]: http://msdn.microsoft.com/en-us/library/dd303576\(v=prot.10)

Fallback to Digest Authentication if KrbMethodK5Passwd on

ernst brammer — Tue, 25 May 2010 11:07:56 -0000

Hi,
first of all, mod_auth_kerb is a great module and I am successfully using it in our intranet with Active Directory.
My question/feature request:
Is it possible to fall back to digest auth if kerb auth fails?
Now, if kerb auth fails (for whatever reason), the user has to manually enter his password for basic auth, which gets transmitted in cleartext. It would be better, if digest auth would be used for fallback (setting up ssl for our small intranet would be overkill).
thanks

Stop passing password through to web applications

Anonymous — Thu, 18 Mar 2010 00:04:31 -0000

When using KrbMethodK5Passwd, it is possible to see the user-entered password from a php script by reading the variable $_SERVER["PHP_AUTH_PW"]. I think there must be an option to remove this value out of the headers list passed through to scripts and applications - i think not only php is able to get this value.

Just check with this script:
<?php
echo date('j.n.Y H:i:s').'<br/>';
echo $_SERVER["REMOTE_USER"].'<br/>';
echo $_SERVER["AUTH_TYPE"].'<br/>';
echo $_SERVER["PHP_AUTH_PW"].'<br/>';
?>

Building Kerberos for Windows server

Anonymous — Mon, 21 Dec 2009 11:14:26 -0000

Has this been tested on apache running on a windows server, and what the compilation steps for windows environment.

Support of NTLM

Daniel Kouril — Wed, 05 Aug 2009 07:30:25 -0000

When doing Negotiate the IE browser may choose to use NTLM if Kerberos isn't available on the client. Since several Kerberos implementations support NTLM under GSSAPI, the module could provide fallback to NTLM for clients that can't speak Kerberos. See also https://sourceforge.net/mailarchive/forum.php?thread_name=0DC212FE7F69B24F81D2C4F1E65FCC2303D55CA5%40svits11.main.ad.rit.edu&forum_id=18368

Passing delegated credentials to tomcat

Spencer Olson — Tue, 12 May 2009 21:30:50 -0000

I'd like to have delegated credentials be available to tomcat servlets
and any processes executed in the tomcat environment. I am using
tomcat behind apache with the AJP connector (with the mod_proxy_ajp
apache module providing the connection to apache).

One of the problems is that (depending on the apache connector--
I believe) no information regarding the apache environment is transferred
over to the tomcat service. Therefore, even though mod_auth_kerb can
be configured to save credentials, the file cache name does not get
transferred to tomcat. Furthermore, if you have tomcat running with
a separate user's privileges, the file cache saved by mod_auth_kerb
is not readable by the tomcat process.

I've come up with two possible solutions:
1. Send tomcat the location of the file cache: (I'm using this solution right now)
a. Tomcat must run as the same user as does apache
b. The location of the cache must be added to the in-bound HTTP headers:
In version 5.4, this involves a one-line addition at
src/mod_auth_kerb.c:871
apr_table_setn(r->subprocess_env, "KRB5CCNAME", ccname);
+ apr_table_setn(r->headers_in, "KRB5CCNAME", ccname);

This way, the location of the file cache is stored in the headers for tomcat to examine.
Because tomcat runs as the apache user, there are no file permission problems.
I imagine that if this is the best solution, there ought to be a configuration option
to select whether you want to store the location of the file cache in the in-
bound headers.

2. Encode the actual cache using base64 encoding and save the result to the in-bound headers.
Using this solution, apache and tomcat can remain as processes of separate users,
thereby allowing apache to run under SELinux or similar restricted mode without effecting
the backend tomcat processes.
If this were the best option, I think it would be necessary to have a configuration option
that requests this functionality explicitly.

Is there already a better solution out there? If not, which of these two possible
solutions would be deemed best?

solution #1 is very easy to implement as it only involves adding one line to mod_auth_kerb.c.

Can we get this functionality in mod_auth_kerb?

Thanks

MacOS X Configuration hints

Bill Northcott — Tue, 27 Jan 2009 01:12:10 -0000

Just a few point that might be mentioned in the README or INSTALL files.

MacOS X runs multiple architectures with fat binaries. In MacOS X 10.4 Tiger most system binaries are fat, in 10.5 Leopard they all are and contain 4 arches ppc, ppc64, i386 and x86_64. All current Macs which have 64bit capable Intel CPUs will run three of these arches - ppc, i386 and x86_64.

The Apple Kerberos implementation which seems to be written by MIT provides krb4 and krb5 in i386 but only krb5 in x86_64.

By default, the Apple gcc compilers will build the local 32bit arch.

However, 64 bit capable hardware will by default run the 64bit arch if provided. So a default ./configure;make build will fail trying to load a 32bit module into the running 64bit Apache.

To build 64 bit on Intel hardware, the option '-arch x86_64' needs to be in the CC definition used during configure and added to CFLAGS and LDFLAGS in config_vars.mk. '--with-krb4=no' is also a good idea for configure.

Only one -arch option can be used at a time due to the differences in the libraries for different arches. A fat binary for the module would need to be build one arch at a time and assembled with lipo.

Microsoft PAC kerberos ticket parsing

Anonymous — Mon, 05 May 2008 16:06:16 -0000

Hi all,
it would be very useful if would be implemented a functionality that parse pac section that is added to kerberos service tickets by Active Directory KDC so would be possible to use an AD domain controller like kerberos authorization system (for example specifying "require group groupname" in auth_kerb.conf) and not only for authentication.

http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1014058,00.html

Sorry for my bad english :)!

massimiliano.laporta@gmail.com

KrbAppendRealm

Jason Heffner — Fri, 08 Dec 2006 13:57:20 -0000

Can the Krb_Append_Realm patch/option be merged into the base code?