I have a working Kerberos SSO setup, I use apache and jboss with mod_jk. Apache is protecting (by kerberos) the auto-login.htm page with the following configuration:
<Location /auto-login.htm> AuthType Kerberos AuthName "Kerberos Active Directory Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbAuthRealms KRB.SOMEDOMAIN.COM KrbServiceName HTTP/[email protected] Krb5Keytab /etc/krb/krb5.keytab KrbVerifyKDC on KrbAuthoritative on require valid-user #ErrorDocument 401 /login.htm </Location> This works 100% and I am able to login with Kerberos/SSO and read the remote_user variable in my java application.
Now the problem is that I want to redirect to a unprotected login.htm if the user was unable to log in via Kerberos/SSO. The solution I had in mind was to set a 401 ErrorDocument, however when I set this up by uncommenting the #ErrorDocument 401 in the code above it always redirects to login.htm as returning a 401 to request user credentials is inherently part of the Kerberos/SSO authentication process. Thus the result is users always end up at login.htm and never completes the Kerberos/SSO login process.
Any help or alternative solution will be appreciated.
Thanks in advance
Pierre
