Home/ Questions/Q 567343
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T13:04:22+00:00

I have a working Kerberos SSO setup, I use apache and jboss with mod_jk.

  • 0

I have a working Kerberos SSO setup, I use apache and jboss with mod_jk. Apache is protecting (by kerberos) the auto-login.htm page with the following configuration:

<Location /auto-login.htm>  
AuthType           Kerberos  
AuthName           "Kerberos Active Directory Login"  
KrbMethodNegotiate on  
KrbMethodK5Passwd  on  
KrbAuthRealms      KRB.SOMEDOMAIN.COM  
KrbServiceName     HTTP/server.somedomain.com@KRB.SOMEDOMAIN.COM  
Krb5Keytab         /etc/krb/krb5.keytab  
KrbVerifyKDC       on  
KrbAuthoritative   on  
require            valid-user  
#ErrorDocument 401  /login.htm  
</Location>

This works 100% and I am able to login with Kerberos/SSO and read the remote_user variable in my java application.

Now the problem is that I want to redirect to a unprotected login.htm if the user was unable to log in via Kerberos/SSO. The solution I had in mind was to set a 401 ErrorDocument, however when I set this up by uncommenting the #ErrorDocument 401 in the code above it always redirects to login.htm as returning a 401 to request user credentials is inherently part of the Kerberos/SSO authentication process. Thus the result is users always end up at login.htm and never completes the Kerberos/SSO login process.

Any help or alternative solution will be appreciated.

Thanks in advance
Pierre

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In order not to interrupt the Kerberos/SSO authentication process, use the following:

    ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"

    This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.

    • 0