On Fri, 21 Dec 2007, Russ Allbery wrote:
I'm afraid that you're probably running into a fundamental limitation in
the HTTP protocol here. I don't think it's possible to do what you want.
I'm not sure, let me add a little more info
The problem is that HTTP doesn't have a full-fledged SASL implementation
with multiple retries of mech negotiation. It only does essentially one
round of negotiation. When the browser connects and asks for a page,
mod_auth_kerb sends a Negotiate-Auth challenge asking whether it can do
SPNEGO. If the browser can, it starts an SPNEGO exchange; if it can't, it
does Basic authentication.
This is unfortunate, but unlikely to change :(
The problem with your situation is that the browser *can* do SPNEGO and
*does* have Kerberos tickets, so at the initial challenge, it selects the
SPNEGO route since to the best of its knowledge that's correct. It then
does an SPNEGO->GSSAPI->Kerberos v5 authentication, and then the server
rejects it at the point when that negotiation is complete due to a bad
realm.
Not quite... my browser is capable of SPNEGO, but did not have a ticket
Therefore, the browser<->server auth should've been in basic mode.
mod-auth-kerb, however failed the request since the realm wasn't on its
list of approved realms... That is what I'd like to have changed, such
that if the realm isn't listed, the module (if configured to do so),
delegates the auth request instead of issuing the error and failing
auth.
Most other users of the site will not even have SPNEGO enabled (assuming
they're on Firefox, IE I think does it by default).
It's yet another problem caused by the fact that HTTP was designed as a
stateless protocol and therefore implements all stateful things such as
proper authentication very poorly.
:(
--
Rick Nelson
Linux - Das System fuer schlaue Maedchen ;)
-- banshee
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
