I have a working Kerberos SSO setup, I use apache and jboss with mod_jk. Apache is protecting (by kerberos) the auto-login.htm page with the following configuration:
<Location /auto-login.htm>
AuthType Kerberos
AuthName "Kerberos Active Directory Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms KRB.SOMEDOMAIN.COM
KrbServiceName HTTP/[email protected]
Krb5Keytab /etc/krb/krb5.keytab
KrbVerifyKDC on
KrbAuthoritative on
require valid-user
#ErrorDocument 401 /login.htm
</Location>
This works 100% and I am able to login with Kerberos/SSO and read the remote_user variable in my java application.
Now the problem is that I want to redirect to a unprotected login.htm if the user was unable to log in via Kerberos/SSO. The solution I had in mind was to set a 401 ErrorDocument, however when I set this up by uncommenting the #ErrorDocument 401 in the code above it always redirects to login.htm as returning a 401 to request user credentials is inherently part of the Kerberos/SSO authentication process. Thus the result is users always end up at login.htm and never completes the Kerberos/SSO login process.
Any help or alternative solution will be appreciated.
Thanks in advance
Pierre
In order not to interrupt the Kerberos/SSO authentication process, use the following:
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"
This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.