GSSAPI not working with Basic (AuthUserFile) fallback

[bbs2web]

I presume I'm essentially looking or a method for GSSAPI to include Basic in the list of offers but then passing control over to AuthType Basic? I believe mod_auth_kerb does this via the KrbAuthoritative Off feature?

This is what I've pieced together so far, it currently works perfectly via Negotiate Kerberos providing staff a SSO experience in Edge, Chrome and Firefox (requires about:config network.negotiate-auth.trusted-uris to include the URL without a trailing /). Sample network.negotiate-auth.trusted-uris entry: https://site1.company.com,https://site2.company.com

Mobile devices do not show a password popup, but a Chrome incognito window does and works if I enter an AD account as user@realm. Edge's InPrivate window lets me either login with my AD credentials or a certificate (YubiCo PIV mode). Only Firefox doesn't work at all when launched as a private window. I presume these are using my workstation's ability to interact with KDCs.

PS: Is there a way to prevent users typing in credentials via GSSAPI, we wish to go completely passwordless...

Apache config file:

<VirtualHost *:80 *:443>
        ServerName site1.company.com

        ProxyPass / http://127.0.0.1:8000/
        ProxyPassReverse / http://127.0.0.1:8000/
        #SSLProxyEngine on

        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

        SSLEngine on
        SSLCertificateFile      /etc/apache2/certs/site1.company.com.pem
        SSLCertificateKeyFile   /etc/apache2/certs/site1.company.com.key
        SSLCertificateChainFile /etc/apache2/certs/intermediary.pem
        RewriteEngine On
        RewriteCond %{HTTPS} off [NC]
        RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

        ErrorLog    ${APACHE_LOG_DIR}/site1.company.com-error.log
        TransferLog ${APACHE_LOG_DIR}/site1.company.com-access.log
        CustomLog   ${APACHE_LOG_DIR}/site1.company.com-agent.log agent
        CustomLog   ${APACHE_LOG_DIR}/site1.company.com-referer.log referer

        <Location / >
                <If "%{HTTP:Authorization} =~ /^Basic\s/">
                        AuthType Basic
                        AuthName "3rd party accounts"
                        AuthUserFile /var/www/htpasswd-site1
                        Require valid-user
                </If>
                <Else>
                        AuthType GSSAPI
                        AuthName "Windows Domain"
                        GssapiAllowedMech krb5
                        #GssapiBasicAuth On
                        GssapiCredStore keytab:/etc/apache2/kerberos/site1.company.com.kerberos.key
                        GssapiLocalName On
                        #GssapiNegotiateOnce On
                        GssapiUseSessions On
                        GssapiSSLonly On
                        Session On
                        SessionMaxAge 300
                        SessionCookieName gssapi_session path=/;httponly;secure;
                        #BrowserMatch Windows gssapi-no-negotiate
                        Require unix-group site1-view
                </Else>
        </Location>
</VirtualHost>

PS: If I remove the If/Else logic and move the AuthType Basic section below the AuthType GSSAPI section it works in reverse. In that I can then successfully use Basic auth against the static user file but GSSAPI isn't available anywhere else.

Have also fiddled with the GssapiBasicAuth (then I have GSSAPI and AD BasicAuth working but no ability to use Kerberos for staff and a static file for external 3rd parties), can't perceive a difference with GssapiNegotiateOnce.

The BrowserMatch line initially appeared to kill any logins of any kind (Kerberos included), except for Chrome where I had relatively recently authenticated via BasicAuth. It's almost as if enabling the BrowserMatch options gets Apache to use the AuthType Basic handler without prompting the user to authenticate.

[bbs2web]

Managed the find the page that hinted at this being possible using mod_auth_kerb:
https://kb.iu.edu/d/alrl

[bbs2web]

Really looking for some pointers, I have it working perfectly for Negotiate Kerberos but basic login only works perfectly in Mozzilla Firefox, both Google Chrome and Microsoft Edge don't honour the redirect to the dummy /login-basic URL that attempts to switch auth to only offering Basic via the static user file.

RewriteEngine also doesn't work with ProxyPass so I split the virtual servers instead:

<VirtualHost *:80>
        ServerName site1.company.com
        Redirect permanent / https://site1.company.com/
</VirtualHost>
<VirtualHost *:443>
        ServerName site1.company.com

        ProxyPass / http://127.0.0.1:8000/
        ProxyPass /login-basic !
        ProxyPassReverse / http://127.0.0.1:8000/

        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}

        SSLEngine on
        SSLCertificateFile      /etc/apache2/certs/site1.company.com.pem
        SSLCertificateKeyFile   /etc/apache2/certs/site1.company.com.key
        SSLCertificateChainFile /etc/apache2/certs/intermediary.pem

        ErrorLog    ${APACHE_LOG_DIR}/site1.company.com-error.log
        TransferLog ${APACHE_LOG_DIR}/site1.company.com-access.log
        CustomLog   ${APACHE_LOG_DIR}/site1.company.com-agent.log agent
        CustomLog   ${APACHE_LOG_DIR}/site1.company.com-referer.log referer

        <Location / >
                <If "%{REQUEST_URI} =~ m#^/login-basic# || %{HTTP:Authorization} =~ /^Basic\s/">
                        AuthType Basic
                        AuthName "3rd party accounts"
                        AuthUserFile /var/www/htpasswd-site1
                        Require valid-user
                        RedirectMatch "^/login-basic" /
                </If>
                <Else>
                        AuthType GSSAPI
                        AuthName "Windows Domain"
                        GssapiAllowedMech krb5
                        GssapiCredStore keytab:/etc/apache2/kerberos/site1.company.com.kerberos.key
                        GssapiLocalName On
                        GssapiUseSessions On
                        GssapiSSLonly On
                        Session On
                        SessionMaxAge 300
                        SessionCookieName gssapi_session path=/;httponly;secure;
                        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login-basic\"></html>"
                        Require unix-group site1-view
                </Else>
        </Location>
</VirtualHost>

Debugging on Debian 11.3 (bullseye):

a2enmod dumpio;
pico /etc/apache2/apache2.conf;
  DumpIOInput On
  DumpIOOutput On
  LogLevel warn dumpio:trace8
systemctl restart apache2;
tail -f /var/log/apache2/error.log;

When the initial GET arrives it falls through to GSSAPI, which works perfectly with Negotiate Kerberos on a domain joined workstation via either Chrome, Edge or Firefox as a standard session in the user's logged in profile:

dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 19:28:40 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655753620998181;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>
dumpio_in (data-TRANSIENT): Authorization: Negotiate ************************

When testing via private/incognito windows, to use basic authentication against the static user file, it only works in Firefox:

dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 19:50:26 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655754926766304;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>
XXX
dumpio_in (data-TRANSIENT): GET /login-basic HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655754926766304\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 19:50:26 GMT\r\nServer: Apache\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Basic realm="3rd party accounts"\r\nContent-Length: 381\r\nKeep-Alive: timeout=5, max=99\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>401 Unauthorized</title>\n</head><body>\n<h1>Unauthorized</h1>\n<p>This server could not verify that you\nare authorized to access the document\nrequested.  Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn't understand how to supply\nthe credentials required.</p>\n</body></html>\n
dumpio_in (data-TRANSIENT): GET /login-basic HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655754926766304\r\n
dumpio_in (data-TRANSIENT): Authorization: Basic YmxhaDpoZGZ1cnNm\r\n
dumpio_out (data-HEAP): HTTP/1.1 302 Found\r\nDate: Mon, 20 Jun 2022 19:50:36 GMT\r\nServer: Apache\r\nStrict-Transport-Security: max-age=63072000\r\nLocation: https://site1.company.com/\r\nContent-Length: 213\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>302 Found</title>\n</head><body>\n<h1>Found</h1>\n<p>The document has moved <a href="https://site1.company.com/">here</a>.</p>\n</body></html>\n
dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Authorization: Basic YmxhaDpoZGZ1cnNm\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655754926766304\r\n
dumpio_out (data-HEAP): HTTP/1.1 302 Found\r\nDate: Mon, 20 Jun 2022 19:50:36 GMT\r\nServer: Apache\r\nStrict-Transport-Security: max-age=63072000\r\nContent-Type: text/html;charset=utf-8\r\nLocation: https://site1.company.com/nodes\r\nX-XSS-Protection: 1; mode=block\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: SAMEORIGIN\r\nContent-Length: 0\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n\r\n

Neither Edge nor Chrome honour the 401 redirect to the '/login-basic' dummy URL which initiates Basic authentication. All 3 browsers ask for credentials which are entered in the section marked with XXX. They don't send the next connection to '/login-basic' so they don't receive the basic auth offer.

Chrome - incognito mode:

dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 19:57:43 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655755363630624;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>
XXX
dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655755363630624\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 19:57:52 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655755372050938;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>
dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655755372050938\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 19:57:53 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655755373121792;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>

Microsoft Edge - InPrivate window:

dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 20:03:07 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655755687922734;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>
XXX
dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655755687922734\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 20:03:23 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655755703141220;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>
dumpio_in (data-TRANSIENT): GET / HTTP/1.1\r\n
dumpio_in (data-TRANSIENT): Cookie: gssapi_session=expiry=1655755703141220\r\n
dumpio_out (data-HEAP): HTTP/1.1 401 Unauthorized\r\nDate: Mon, 20 Jun 2022 20:03:25 GMT\r\nServer: Apache\r\nSet-Cookie: gssapi_session=expiry=1655755705850427;Max-Age=300;path=/;httponly;secure;\r\nStrict-Transport-Security: max-age=63072000\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 69\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
dumpio_out (data-HEAP): <html><meta http-equiv="refresh" content="0;url=/login-basic"></html>```

[simo5]

The problem is that GSSAPI has no real state. We could try by setting a cookie or something, and not repeat the 401 if the browser asks again, but are these browsers actually going to come back and ask again preserving cookies?
I am not sure I fully get what these browsers are doing when failing ...

[simo5]

Ie are they trying again 3 times, or was that you explicitly hitting reload on the browser?
If they retry at least once, we could use the gssapi_session cookie on first call to store some data and have a new option to return a 302 in case the browser comes by again and has no proper negotiate header sent in. Please open an issue with your request for enhancement in that case.

[bbs2web]

Thank you for your time on this, the examples I provided above was me entering the credentials only once, when prompted via popup, where depicted with XXX. Both Edge and Chrome try another two times after being fed the credentials and then display their own error message for the 401 response.

The configuration displayed in message #268 (comment) (the 2nd version above) essentially works perfectly on the following browsers. In that I can navigate to '/', the browser receives the Negotiate auth request, I enter credentials in the popup and it then honours the 401 redirect to /login-basic, in that it sends a request to /login-basic and upon receiving the basic auth 401 then automatically submits the credentials entered earlier; after which the browser is then redirected back to '/' and the site loads.

This as such is the behaviour I was hoping to achieve, it works perfectly in the following scenarios:

• Chrome on Android
• Safari on iOS
• Firefox on Windows

With Chrome and Edge on Windows, either in normal mode on a non-domain joined workstation or running an incognito or private window on a domain joined workstation, it appears to latch on to the presented Negotiate challenge and entered credentials keep failing as it doesn't redirect to trying the credentials on the /login-basic redirect URL. What I however now discovered is that I can hit cancel on the first credentials popup and it does then actually does redirect to /login-basic at which point an identically looking credential popup appears and everything works as with the other browsers (using basic auth).

My presumption is that Chromium was hardened to prevent a Negotiate to Basic auth downgrade attack. The following discussion in 2013/2014 had some insight in to Chrome apparently being stricter with the process than other browsers. Facebook and some others for example issue a 302 redirect when authentication fails to redirect the browser to a page that handles authentication:
https://stackoverflow.com/questions/8775593/is-it-possible-to-send-a-401-unauthorized-and-redirect-with-a-location

My current understanding is that Apache 2.4 does allow chaining authentication providers but we essentially need GSSAPI to have an option to change its behaviour, possible something along the lines of 'GssapiAuthoritative Off', where it then:

• Initiate Negotiate with a 401 response
• Upon receiving a second request with 'Cookie: gssapi_session', from the previous 401, but no 'Authorization: Negotiate' it should issue a 302 to the /login-basic URL
• Basic auth provider takes it from there

PS: I'm really not a developer and unfortunately have no meaningful way to understand or contribute to the code.

[bbs2web]

By the way, I did try GssapiNegotiateOnce On but I'm not sure if this is a bug or Chromium based browsers refusing to let go of Negotiate when they have the ability to identify the presented Negotiate challenge.

[bbs2web]

Apologies, I miss read your last post. I think that behaviour would be perfect. I'll create the feature enhancement request, many thanks!

[bbs2web]

In summary, the above essentially works as intended in that SSO negotiates Kerberos successfully on Chrome, Edge and Firefox. Basic auth against a static 3rd party user file also works perfectly when I point browsers directly at the https://site1.company.com/login-basic URL.

The only thing that isn't working is getting Chrome or Edge to honour the redirect to /login-basic when GSSAPI fails to negotiate Kerberos. I presume this to be a security feature in Chrome and Edge, looking for anyone with experience on how to change the ErrorDocument 401 line to get those browsers to redirect to the correct login URL.