Mod_auth_kerb: optional Kerberos Negotiation

Question

Can I configure Mod_auth_kerb (http://modauthkerb.sourceforge.net/configure.html) in the way it will perform optional Kerberos Negotiation:

1. If browser is configured to negotiate Mod_auth_kerb will perform negotiation and will authenticate a user (and send REMOTE_USER)

2. If browser is not configured to negotiate Mod_auth_kerb will not perform authentication and will send a request without REMOTE_USER. Later an application will perform an authentication of a request. Important that Mod_auth_kerb should not return 401 NEGOTIATE.

Answer 1

My guess is that the real problem you're trying to solve is the brokeness of Internet Explorer. With every other browser you can simply set an error redirect in the Apache config like this.

<Location /login-spnego>
        AuthType Kerberos
        require valid-user
        KrbMethodNegotiate on
        KrbMethodK5Passwd off
        Krb5Keytab /etc/httpd/conf/keytab
        ErrorDocument 401 /login-simple
</Location>

However, IE goes into a death spiral if it has not been configured to allow kerberos auth to the site in question and never displays the 401 document. The only work around for this problem that I have found is to use a mod_rewrite rule based on the HTTP_USER_AGENT.

# IE fails hard if the user does not have a tgt for SPNEGO
# and either attempts NTLM or fails altogether depending on
# exact version. Redirect all IE login attempts to
# form rather than attempt pass-thru SPNEGO login.

RewriteCond   %{HTTP_USER_AGENT}           ^Mozilla.*MSIE
RewriteRule   ^/login-spnego/          /login-simple/   [PT]

This doesn't really address your question, but as far as I know there is simply no way to do what you want w/o re-writing the code for mod_auth_kerb.