可选的kerberos身份验证? [英] Optional kerberos authentication?

问题描述

是否可以进行可选的kerberos身份验证?

Is it possible to do optional kerberos authentication?

我想要的是:如果客户端(浏览器)不在域中，它将被重定向到用户名/密码Web登录名.否则，它将使用SPNEGO进行Kerberos身份验证.

What I want is: if the client (browser) is not on the domain it is redirected to a username/password web login. Otherwise it will do SPNEGO do Kerberos authentication.

有什么解决办法吗?如果是，我们需要什么配置?

Is there is any solution for this? If Yes what are the configurations we required?

推荐答案

是.你可以这样做.当服务器接收到未经身份验证的请求时，它将回复401(需要授权")，该消息是将标头WWW-Authenticate设置为Negotiate.如果Kerberos身份验证失败，则服务器还会发送回401.

Yes. You can do this. When the server receives an unauthenticated request, it replies with a 401 ("Authorization required") which is a header WWW-Authenticate set to Negotiate. If the Kerberos authentication fails, the server also send a 401 back.

每当客户端验证失败(例如，如果它没有任何Kerberos凭据或验证失败)，就会显示401页内容.

Whenever the client fails to authenticate (for example, if it doesn't have any Kerberos credentials, or the authentication failed) the 401 page content will be shown.

因此，要解决您的问题，您要做的就是将登录页面包括在401页中.

So, to solve your problem, all you have to do is to include the login page on the 401 page.

这篇关于可选的kerberos身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！