1

We are using Apache with mod_auth_kerb to authenticate our users configured in an Active Directory. While trying to extract REMOTE_USER from the Environment Variables I observed something strange - I was able to retrieve the user when SSL is enabled by loading mod_ssl library, but gave me "null" value for non-SSL variable.

Here are the configurations for my Apache Server:

<Location /my-site-page>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbSaveCredentials on
KrbLocalUserMapping off
KrbAuthRealms MY.REALM.COM
KrbServiceName Any
Krb5KeyTab /path/to/my/keytab

RequestHeader set X-REMOTE-USER %{REMOTE_USER}e
RequestHeader append X-REMOTE-USER %{REMOTE_USER}s

As I understand from Apache Mod Header Docs

%{VARNAME}e The contents of the environment variable VARNAME.
%{VARNAME}s The contents of the SSL environment variable VARNAME, if mod_ssl is enabled.

I tried by both turning SSL on and off, and here are the results that I see
when SSL is enabled

X-REMOTE-USER: (null), harman

when SSL is disabled

X-REMOTE-USER: (null), (null)
Harman
  • 751
  • 1
  • 9
  • 31
  • Are you using internet explorer? Is the Security zone configuration allowing non-https sites? – msg Sep 22 '18 at 02:17
  • @msg I use Chrome, but that too uses IE configs. The property `Display mixed content` is set to `Prompt`. – Harman Sep 22 '18 at 15:49
  • Under "Trusted sites" should be an option to require SSL. If that's the case the browser won't be sending auth headers over a plain connection I think. – msg Sep 22 '18 at 15:57
  • @msg Under `Trusted Sites` it says `Require server verification (https:) for all sites in this zone.` which was checked but my site was not listed there. However, I unchecked but the result was still the same. – Harman Sep 22 '18 at 16:19

0 Answers0