You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OK I'm not having much luck figuring this out.
I've got gssapi doing authentication via gssproxy (enabled in the enviro vars during apache startup).
I need Basic Auth enabled for some windows clients which don't natively have kerberos ticket capabilities.
So
AuthType GSSAPI
AuthName "EMIT Single Sign On Login"
GssapiNegotiateOnce On
GssapiBasicAuth On
I'm trying to get gssapi session cookies to be used in place of basic Auth if a user has authenticate at least once.
So I'm adding:
GssapiUseSessions On
GssapiSessionKey key:secret_key
Session On
SessionCookieName gssapi_session path=/;httponly;secure;
SessionCryptoPassphrase "secret_passphrase"
Require valid-user
Now it seems that web browsers send the basic auth info in the request header "Authorization : basic .. blabla " of subsequent requests even though the cookie has been set.
I think this triggers apache to re-authenticate again an generate a new session token every time.. dumping / ignoring the one that has been set in the request header..
This is massively slowing down the pages responsiveness, to add nearly 1 second to every get request the browser makes while loading the page.
I don't know exactly know why the auth stage is so incredibly slow as a aide quest..
Now there have been methods mentioning having GssapiBasicAuth set to Off for the bulk of the website while keeping the cookie stuff there.
And then having a single "login" page in a location block that has BasicAuth turned on.
But I'm going through an apache proxy setup as part of this, think Jenkins running on the same server but at firewalled port 8080.
And I just can't seem to find the magic combination to get this to work..
Here is what our current config with gssapi auth looks like. But it is stupidly slow and doesn't seem to be using the session cookies..
<Location /jenkins/>
SSLOptions +StrictRequire +ExportCertData +StdEnvVars +OptRenegotiate
SSLRequireSSL
SSLRequire ( %{HTTP_HOST} eq "jenkins.mydomain" )
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
ProxyPass http://localhost:8080/jenkins/ nocanon
ProxyPassReverse http://localhost:8080/jenkins/
ProxyPassReverse http://jenkins.mydomain/jenkins/
ProxyPassReverse https://jenkins.mydomain/jenkins/
ProxyPreserveHost On
RequestHeader set X-Forwarded-Host "jenkins.mydomain"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</Location>
<Proxy http://localhost:8080/jenkins/*>
# Take three see if this method speeds things up
AuthType GSSAPI
AuthName "Single Sign On Login"
# Avoid Windows/Chrome from getting stuck trying NTLM
GssapiNegotiateOnce On
# Enable Basic Auth Fallback
GssapiBasicAuth On
# Enable Apache Sessioning for both GSSAPI & Basic Auth
GssapiUseSessions On
GssapiSessionKey key:secret_key
# Encrypt the session cookie
Session On
SessionCookieName gssapi_session path=/;httponly;secure;
SessionCryptoPassphrase "secret_passprhase"
Require valid-user
Order deny,allow
Allow from all
</Proxy>
I'm not even sure if that authentication stuff is meant to be in the proxy block, there are lots of conflicting views on that..
There are methods that talk about splitting the auth domains into an everything else that uses the cookie and redirects via a 401? to a login URL if that cookie fails.
On that page they can login and be given a gss session cookie after basic auth passes.
and get redirected back to the main URL which only uses cookies no BasicAuth enable flag etc...
But I'm having no luck getting that method going..
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
OK I'm not having much luck figuring this out.
I've got gssapi doing authentication via gssproxy (enabled in the enviro vars during apache startup).
I need Basic Auth enabled for some windows clients which don't natively have kerberos ticket capabilities.
So
I'm trying to get gssapi session cookies to be used in place of basic Auth if a user has authenticate at least once.
So I'm adding:
Now it seems that web browsers send the basic auth info in the request header "Authorization : basic .. blabla " of subsequent requests even though the cookie has been set.
I think this triggers apache to re-authenticate again an generate a new session token every time.. dumping / ignoring the one that has been set in the request header..
This is massively slowing down the pages responsiveness, to add nearly 1 second to every get request the browser makes while loading the page.
I don't know exactly know why the auth stage is so incredibly slow as a aide quest..
Now there have been methods mentioning having GssapiBasicAuth set to Off for the bulk of the website while keeping the cookie stuff there.
And then having a single "login" page in a location block that has BasicAuth turned on.
But I'm going through an apache proxy setup as part of this, think Jenkins running on the same server but at firewalled port 8080.
And I just can't seem to find the magic combination to get this to work..
Here is what our current config with gssapi auth looks like. But it is stupidly slow and doesn't seem to be using the session cookies..
I'm not even sure if that authentication stuff is meant to be in the proxy block, there are lots of conflicting views on that..
There are methods that talk about splitting the auth domains into an everything else that uses the cookie and redirects via a 401? to a login URL if that cookie fails.
On that page they can login and be given a gss session cookie after basic auth passes.
and get redirected back to the main URL which only uses cookies no BasicAuth enable flag etc...
But I'm having no luck getting that method going..
Any help would be appreciated
Cheers
Richard
Beta Was this translation helpful? Give feedback.
All reactions