MCB and Kerberos NEGOTIATE

David Langenberg davel at
Sat Apr 26 00:07:12 EDT 2014

1 sounds viable.  Duo, I believe, can strip the from the
principal on their end so that would save you a step.


On Fri, Apr 25, 2014 at 9:32 PM, Rich Graves <rgraves at> wrote:

> Muttering to myself:
> > Has anyone looked into making (something like) the Kerberos
> authentication plugin work within the MCB framework, in place of the
> bronze-level username/password?
> Well, I don't have either working yet, but possible strategies include:
> 1) Use the MCB RemoteUser submodule, with /Authn/MCB/RemoteUser protected
> by mod_auth_kerb. I would need to strip the @AD.EXAMPLE.EDU from the
> REMOTE_USER variable, but it might work, including Duo second factor as
> needed.
> 2) Use the SWITCH Kerberos module, which I think can be installed in the
> same server as MCB. Not desirable because it would seem to require each SP
> to specify context and there's no possibility of requiring Duo second
> factor.
> Is #1 a viable strategy?
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at

David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list