Apache: x.509 and Kerberos authentication together

649 views Asked by At

I want to configure on the same Apache server Kerberos authentication using mod_auth_kerb http://modauthkerb.sourceforge.net/ and client side x.509 certificate authentication using mod_ssl.

I need to configure SSLVerifyClient directive as optional since the client side x.509 certificate will not be always present http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient

What will happens in the following scenarios:

  1. A Kerberos enabled client accesses server with an x.509 certificate. What authentication will be performed?
  2. A Kerberos enabled client accesses a server without an x.509 certificate. Will the Kerberos authentication be performed and the client will access the server successfully?
  3. A client without Kerberos accesses server with an x.509 certificate. Will the x.509 authentication be performed and the client will access the server successfully?
  4. A client accesses server without Kerberos and without an x.509 certificate. What prompt will be presented to a user? The HTTP 401 NEGOTIATE error or the x.509 certificate missing error?

(I can ask the following question in a new thread if required)

Will it work in the same way for SAML2 authentication provided by Shibboleth? Configure Shibboleth native Service Provider and Apache

1

There are 1 answers

2
Michael-O On

It makes absolutely no sense to combine both methods. But keep in mind that first the TLS context is established and certs exchanged and then HTTP kicks in. So, if TLS auth fails, everything else won't be executed anyway.