Apache Authentication with SPNEGO
If you don't know what SPNEGO is then it is time to look it up
. It is the way a web browser can do single-sign on against "something". In Microsoft Windows it is referred to as "Integrated Windows Authentication" but really has nothing to do with Windows. SPNEGO provides promptless authentication, unlike say LDAP methods which will prompt you for credentials. As such it has some similarities with NTLM, but NTML (especially v1) is more or less out of the picture these days because it is no longer supported by Microsoft. Enter SPNEGO.
SPNEGO authentication works well if your end-users are on Windows and you need to authenticate against Active Directory but as such the technology is not limited to MS Windows because underneath the mechanism is based on Kerberos.
In the Solaris bundle of the Apache Web Server there's a module, mod_auth_gss, which has been created by Sun/Oracle. It provides SPNEGO authentication to Apache Web Server by use of the GSS API and ultimately Kerberos. The module is well suited for TWiki.
You can read more about it here:
- Official blog from Oracle about the module. Note that in this blog the Sun Access Server is the KDC (Kerberos Key Distrubution Center) but you can replace that with Active Directory.
Other operating systems (for the TWiki server) ?
My company use both Solaris and Linux so I was asked the other day to make it work on Red Hat. I've been searching for something similar for the Linux world without luck. Judging from the information on the links above you cannot just take the source code and make it work on Linux because of some deficiences in the Linux implementation of GSS. On Linux I would say you would have to use mod_auth_kerb which also provides SPNEGO. This module talks directly to Kerberos rather than through GSS API and is therefore very dependent on exactly which Kerberos implementation you are using. Bottom line : I believe the two modules are each other's equivalents. Use mod_auth_gss on Solaris and use mod_auth_kerb on Linux. You can probably make mod_auth_kerb work on Solaris (especially if you first manually install MIT's Kerberos) but why would you ?
Browser support
All major browsers have support for SPNEGO. On some browsers you may have to explicitly enable it (Firefox is an example) and on other browsers it is enabled by default (Internet Explorer is an example). Google search is your friend. !-- Contributors: BrianMartinUK - 2012-06-20
Discussion
Brian, thank you for sharing this with the community! What a coincidence, I just wrote a cookie auth token based generic SSO extension for TWiki, SsoLoginContrib, and post post How to: Single Sign-on, a Convenient Way to Authenticate Users. -- PeterThoeny - 2012-07-01
Edit | Attach | Topic revision: r2 - 2012-07-01 - PeterThoeny
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.