与用户名/密码身份验证并行运行SPNEGO Kerberos [英] Running SPNEGO Kerberos in parallel with username/password authentication

问题描述

我想同时支持Kerberos和标准的用户名+密码身份验证(通过Web表单).当客户端在域中时，这很好用.服务器返回HTTP标头"WWW-Authenticate:Negotiate"，并根据Kerberos协议的要求发送HTTP错误401(未经授权)，然后浏览器客户端将继续发送所需的信息.但是，如果从域外部访问登录页面，则在收到401之后，该过程将在客户端停止.

I would like to support both Kerberos and standard username+password authentication (via web form) in parallel. This is works fine, when the client is in the domain. The server returns the HTTP header "WWW-Authenticate: Negotiate" and sends an HTTP error 401 (unauthorized), as required by the Kerberos protocol, and the browser client then continues by sending the required information. But when the login page is accessed from outside the domain, the process stops on the client-side after receiving the 401.

是否可以并行运行这两种身份验证方法? (此处存在相同问题，但没有最终解决方案:可选SPNEGO Kerberos身份验证)

Is there a way to run these two authentication methods in parallel? (same question here, without a conclusive solution: Optional SPNEGO Kerberos authentication)

推荐答案

最好采用与 mod_auth_gssapi ，它还提供Basic并在内部执行auth循环，就好像您的客户端正在发送SPNEGO令牌.

You are better off implementing the same approach as mod_auth_gssapi, it offers Basic also and performs the auth loop internally as if your client is sending the SPNEGO token.

这篇关于与用户名/密码身份验证并行运行SPNEGO Kerberos的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！