Most (perhaps all) www servers supporting Kerberos use password based authentication. This method requires too much communication between the www server and KDC, is uncomfortable for users (since they are required to type their passwords when accessing secured pages) and is not much secure (since the password is passed to the www server). That is why endavour to use native Kerberos authentication in HTTP have appeared. The Microsoft corporation published a draft specifying how Kerberos is used in their web components. We used this draft to implement Kerberos support for the Apache web server and Mozilla browser so that they are able to use native Kerberos tickets for user authentication.
The authentication method introduced by the Microsoft draft is called Negotiate. It is based on the use of GSS-API and SPNEGO, however only "simple" authentication methods are considered, i.e. methods requiring only one authentication exchange between client and server (e.g. Kerberos). The Negotiate mechanism allows browsers to include a gss token (output of gss_init_sec_context()) to the HTTP headers. This token contains a kerberos ticket and appropriate authenticator (for detailed information on Kerberos and GSS-API using Kerberos see RFC 1510 and RFC 1964). The server verifies the token by means of the gss_accept_sec_token() call and decides whether grant access for the user. The Microsoft components support the Kerberos and NTLM methods. The Negotiate mechanism provides only authentication nor integrity control or encryption so SSL has to be used.
Since we don't have any SPNEGO implementation we are using directly Kerberos implementation of GSS API (unlike the Microsoft implementation). However migration to SPNEGO should be easy. Besides the direct use of Kerberos implementation of GSS-API instead of SPNEGO, there is another (perhaps worse) problem concerning interoperability with the Microsoft components. Internet Explorer seems to try the NTLM authentication if unable to get Kerberos ticket for www server (e.g. when KDC is unreachable). In this case IE displays a window requiring the user to type their password to domain. This is very confusing for users and we were not able to make IE not do it. Thus we renamed the method to GSS-Negotiate (i.e. added the GSS- prefix) in our implementation. In this way IE doesn't recognize Negotiate as a supported mechanism and always use password authentication. So if you want to test this implementation against Microsoft's application, you will need to substitute GSS-Negotiate for Negotiate (and you will need SPNEGO library as well).
The implementation was created for apache version 1.3.26 (and should work for any later 1.x
versions), mozilla version
1.0, 1.1, 1.2.1, or 1.3 Heimdal Kerberos version 0.4e (the Mozilla patch assumes using
of static libraries of Heimdal but shared libraries should work as well),
Heimdal was linked with Openssl
Our implementation consists of an apache module and a patch for Mozilla. The former apache module mod_auth_gssapi that we used to use implements only the Negotiate method and sometimes showed problems with collaboration with the kerb_auth_mod module used for password based Kerberos authentication. For that reason we have created a new apache module, combining both the method (i.e. password and Negotitate). This module should be used in enviroments where both these Kerberos methods are required.
For the mozilla browser we have patches for mozilla v.1.0, mozilla v.1.1, mozilla v.1.2.1, and mozilla v.1.3. To build mozilla you will also need a simple patch , which ensures that Heimdal gssapi.h header can be included from C++ code.
The implementation was tested only on Debian 2.2 (potato) on i386 platform.
Follow instructions from the mozilla site. As of the Negotiate patch for mozilla 1.3, a new option (--with-gssapi=dir) is added to the configure script, which enables to specify that the Negotiate support should be compiled. To add the option to the configure script you have to run autoconf before starting the building process. We are using following steps:
cd /usr/heimdal/include; patch < /download/gssapi.h.patch
vitriol$ cd ~/software
vitriol$ tar xzf /download/mozilla-source-1.3.tar.gz
vitriol$ cd mozilla
vitriol$ patch -p0 < /download/mozilla-1.3-gssauth.patch
vitriol$ MOZILLA_OFFICIAL=1; BUILD_OFFICIAL=1
vitriol$ export MOZILLA_OFFICIAL BUILD_OFFICIAL
vitriol$ ./configure --enable-crypto --disable-tests
--disable-debug --enable-optimize --enable-strip
vitriol$ cd xpinstall/packager; make
This will end up with distribution package mozilla-i686-pc-linux-gnu.tar.gz in the mozilla/dist directory. This package can be used to install mozilla.
You will need to specify the libraries and includes needed via enviroment, e.g:
LDFLAGS="-L/usr/heimdal/lib -L/usr/local/ssl/lib" \
LIBS="-lgssapi -lkrb5 -lasn1 -lroken -lcrypto -lresolv" \
./configure --prefix=/usr/local/apache \
make; make install
Add following lines to apache configuration:
AuthName "KRB5 Realm"
Now you should be able to access the page with Keberos authentication. Consult output of the klist command (Mozilla tryies to get tickets of form khttp/www_server_hostname@REALM). Enviroments variable NSPR_LOG_MODULES and NSPR_LOG_FILE can be used to turn on debugging of Mozilla. E.g. you can use
Implementation of the Negotiate mechanism was written by Ludek Sulak as part of his bachelor thesis (available in Czech only). Additional changes and fixes were done by Daniel Kouril, who is the current maintainer of the code.
The patch for mozilla was submitted into the Mozilla's bugzilla as an attachement of bug #17578.