MCB and Kerberos NEGOTIATE

Wessel, Keith kwessel at
Sat Apr 26 15:04:36 EDT 2014

Of course, if you went with #1, you'd hit upon what I'm up against: the fact that remote_user can't intelligently support things like forced reauthentication... unless you can just have a very short Kerberos ticket lifetime.


From: users-bounces at [mailto:users-bounces at] On Behalf Of David Langenberg
Sent: Friday, April 25, 2014 11:07 PM
To: Shib Users
Subject: Re: MCB and Kerberos NEGOTIATE

1 sounds viable.  Duo, I believe, can strip the<> from the principal on their end so that would save you a step.


On Fri, Apr 25, 2014 at 9:32 PM, Rich Graves <rgraves at<mailto:rgraves at>> wrote:
Muttering to myself:
> Has anyone looked into making (something like) the<> Kerberos authentication plugin work within the MCB framework, in place of the bronze-level username/password?
Well, I don't have either working yet, but possible strategies include:

1) Use the MCB RemoteUser submodule, with /Authn/MCB/RemoteUser protected by mod_auth_kerb. I would need to strip the @AD.EXAMPLE.EDU<http://AD.EXAMPLE.EDU> from the REMOTE_USER variable, but it might work, including Duo second factor as needed.

2) Use the SWITCH Kerberos module, which I think can be installed in the same server as MCB. Not desirable because it would seem to require each SP to specify context and there's no possibility of requiring Duo second factor.

Is #1 a viable strategy?
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>

David Langenberg
Identity & Access Management
The University of Chicago
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list