apache2/idp kerberos RemoteUserInternal with Password flow fallback

Simon Lundström simlu at su.se
Mon Aug 10 08:15:31 EDT 2015

On Wed, 2015-07-29 at 09:04:03 +0300, Tunturi Timo wrote:
> On 28/07/15 16:34, Cantor, Scott wrote:
> >On 7/28/15, 7:28 AM, "users on behalf of Tunturi Timo" <users-bounces at shibboleth.net on behalf of timo.tunturi at aalto.fi> wrote:
> >
> >>The fallback feature is in the browser. Browsers other than IE, anyway.
> >
> >Right, so, useless in the general case. All it takes is one.
> That's right. Basically only because of IE there has to be a somewhat
> elaborate scheme on the IdP end to make sure you never offer a negotiate
> challenge unless the client can and will respond to it.

Like you, Timo, answered in another thread: a combination of user-agent
and IP-address/CIDR greylisting works. At least for us.

- Simon


Simon Lundström
Section for Infrastructure

IT Services
Stockholm University
SE-106 91 Stockholm, Sweden


More information about the users mailing list