apache2/idp kerberos RemoteUserInternal with Password flow fallback
Simon Lundström
simlu at su.se
Mon Aug 10 08:15:31 EDT 2015
On Wed, 2015-07-29 at 09:04:03 +0300, Tunturi Timo wrote:
> On 28/07/15 16:34, Cantor, Scott wrote:
> >On 7/28/15, 7:28 AM, "users on behalf of Tunturi Timo" <users-bounces at shibboleth.net on behalf of timo.tunturi at aalto.fi> wrote:
> >
> >>The fallback feature is in the browser. Browsers other than IE, anyway.
> >
> >Right, so, useless in the general case. All it takes is one.
>
> That's right. Basically only because of IE there has to be a somewhat
> elaborate scheme on the IdP end to make sure you never offer a negotiate
> challenge unless the client can and will respond to it.
Like you, Timo, answered in another thread: a combination of user-agent
and IP-address/CIDR greylisting works. At least for us.
BR,
- Simon
____________________________________
Simon Lundström
Section for Infrastructure
IT Services
Stockholm University
SE-106 91 Stockholm, Sweden
www.su.se/it
More information about the users
mailing list