问题
I would like to support both Kerberos and standard username+password authentication (via web form) in parallel. This is works fine, when the client is in the domain. The server returns the HTTP header "WWW-Authenticate: Negotiate" and sends an HTTP error 401 (unauthorized), as required by the Kerberos protocol, and the browser client then continues by sending the required information. But when the login page is accessed from outside the domain, the process stops on the client-side after receiving the 401.
Is there a way to run these two authentication methods in parallel? (same question here, without a conclusive solution: Optional SPNEGO Kerberos authentication)
回答1:
You are better off implementing the same approach as mod_auth_gssapi, it offers Basic also and performs the auth loop internally as if your client is sending the SPNEGO token.
来源:https://stackoverflow.com/questions/41375245/running-spnego-kerberos-in-parallel-with-username-password-authentication