MCB and Kerberos NEGOTIATE

Rich Graves rgraves at
Fri Apr 25 23:32:24 EDT 2014

Muttering to myself:
> Has anyone looked into making (something like) the Kerberos authentication plugin work within the MCB framework, in place of the bronze-level username/password? 

Well, I don't have either working yet, but possible strategies include: 

1) Use the MCB RemoteUser submodule, with /Authn/MCB/RemoteUser protected by mod_auth_kerb. I would need to strip the @AD.EXAMPLE.EDU from the REMOTE_USER variable, but it might work, including Duo second factor as needed.

2) Use the SWITCH Kerberos module, which I think can be installed in the same server as MCB. Not desirable because it would seem to require each SP to specify context and there's no possibility of requiring Duo second factor. 

Is #1 a viable strategy?

More information about the users mailing list