How to setup apache redirect or custom 401 document on Kerberos SSO login failure

Question

Hi

I have a working Kerberos SSO setup, I use apache and jboss with mod_jk. Apache is protecting (by kerberos) the auto-login.htm page with the following configuration:

<Location /auto-login.htm>  
AuthType           Kerberos  
AuthName           "Kerberos Active Directory Login"  
KrbMethodNegotiate on  
KrbMethodK5Passwd  on  
KrbAuthRealms      KRB.SOMEDOMAIN.COM  
KrbServiceName     HTTP/[email protected]  
Krb5Keytab         /etc/krb/krb5.keytab  
KrbVerifyKDC       on  
KrbAuthoritative   on  
require            valid-user  
#ErrorDocument 401  /login.htm  
</Location>

This works 100% and I am able to login with Kerberos/SSO and read the remote_user variable in my java application.

Now the problem is that I want to redirect to a unprotected login.htm if the user was unable to log in via Kerberos/SSO. The solution I had in mind was to set a 401 ErrorDocument, however when I set this up by uncommenting the #ErrorDocument 401 in the code above it always redirects to login.htm as returning a 401 to request user credentials is inherently part of the Kerberos/SSO authentication process. Thus the result is users always end up at login.htm and never completes the Kerberos/SSO login process.

Any help or alternative solution will be appreciated.

Thanks in advance
Pierre

Answer 1

In order not to interrupt the Kerberos/SSO authentication process, use the following:

ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"

This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.

Answer 2

For any inter-medium step, peg the above contents into HTTP stream, e.g. Servlet, excepting the successful authentication returned.