"Fossies" - the Fresh Open Source Software Archive 
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 --------------------------------------------------------------------------------
2 readme.txt is the mod_spnego read-me file.
3
4 Author: Frank Balluffi and Markus Moeller
5
6 Copyright (C) 2002-2007 Frank Balluffi and Markus Moeller. All rights reserved.
7 --------------------------------------------------------------------------------
8
9 mod_spnego Read Me
10
11 Frank Balluffi and Markus Moeller
12 August 19, 2005
13
14 1 Introduction
15
16 mod_spnego is a reference implementation Apache module that supports
17 authentication via the RFC 2478 SPNEGO GSS-API mechanism. Currently, mod_spnego
18 supports Apache 1.3 and 2.0 on Linux, Solaris and Windows.
19
20 mod_spnego was originally written to handle RFC 2478 SPNEGO tokens sent by
21 Microsoft Internet Explorer. Later, support for RFC 1964 Kerberos tokens (as
22 sent by Mozilla Firefox on Linux) was added.
23
24 mod_spnego uses the following libraries for older Kerberos libraries which do not support SPNEGO:
25
26 - Apache
27 - MIT GSS-API or HEIMDAL GSS-API or IBM AIX NAS or Sun Solaris SEAM
28 - fbopenssl (only required if the Kerberos libraries don't support SPNEGO)
29
30 fbopenssl contains extensions to OpenSSL, including APIs for GSS-API and SPNEGO.
31
32 mod_spnego uses the following libraries for newer Kerberos libraries which do support SPNEGO:
33
34 - Apache
35 - MIT GSS-API or HEIMDAL GSS-API or IBM AIX NAS or Sun Solaris SEAM
36
37 mod_spnego uses the following libraries on Windows platforms:
38
39 - Apache
40 - Windows SSPI
41
42 mod_spnego has been built and tested on Apache 1.3.29* and 2.0.46 on the
43 following operating systems:
44
45 - Microsoft Windows 2000 Server Service Pack 4 with Visual C++ .NET
46 - Sun Solaris 2.8 (SunOS 5.8) with gcc 2.95
47 - SuSE Linux 8.2 with gcc 3.3
48 - IBM AIX with xlc
49
50 mod_spnego has been tested with the following clients:
51
52 Microsoft Internet Explorer on Windows XP Service Pack 1
53 Mozilla Firefox 1.0 on Windows XP Service Pack 1
54 Mozilla Firefox 1.0 on SuSE Linux 8
55
56 mod_spnego still lacks the following:
57
58 - group authorization files
59
60 For more information about open issues, see the Open Issues section (below).
61
62 * The authors were not able to install Apache 1.3.29 on Windows, so
63 Apache 1.3.28 was used.
64
65 2 Building and Installation
66
67 2.1 Linux and UNIX
68
69 Build and install Apache. For example, Apache 1.3:
70
71 [Get apache_1.3.29.tar.gz.]
72 gunzip apache_1.3.29.tar.gz
73 tar xvf apache_1.3.29.tar
74 cd apache_1.3.29
75 ./configure --prefix=/test/ballfra/apache --enable-module=most --enable-shared=max
76 make
77 make install
78
79 and for Apache 2.0:
80
81 [Get httpd-2.0.46.tar.gz.]
82 gzip -d httpd-2.0.46.tar.gz
83 tar xvf httpd-2.0.46.tar
84 cd httpd-2.0.46
85 ./configure --prefix=/test/ballfra/apache2 --enable-so
86 make
87 make install
88
89 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
90 ~~~~~ Only needed for older Kerberos implementation ~~~~~
91 ~~~~~ Use -DHAVE_SPNEGO with axps or axps2 ~~~~~~~~~~~~~~
92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
93
94 Build OpenSSL. For example:
95
96 [Get openssl-0.9.7b.tar.gz.]
97 gunzip openssl-0.9.7b.tar.gz
98 tar xvf openssl-0.9.7b.tar
99 cd openssl-0.9.7b
100 ./config shared
101 make
102
103 Define the environment variable OPENSSLDIR to point to OpenSSL. For example:
104
105 echo $OPENSSLDIR
106 /home/ballfra/external/openssl-0.9.7b
107
108 If OpenSSL has been installed, change the following line in Makefile from:
109
110 SSLLIB = -Wl,-R$(OPENSSLDIR) -L$(OPENSSLDIR) -lcrypto
111
112 to:
113
114 SSLLIB = -Wl,-R$(OPENSSLDIR)/lib -L$(OPENSSLDIR)/lib -lcrypto
115
116 Build fbopenssl. For example:
117
118 cd fbopenssl
119 make CFG=release
120
121 Define the environment variable FBOPENSSLDIR to point to fbopenssl. For example:
122
123 echo $FBOPENSSLDIR
124 home/ballfra/src/fbopenssl
125
126 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
128
129 Build MIT GSS-API. For example:
130
131 [Get krb5-1.2.8.tar.gz.]
132 gunzip krb5-1.2.8.tar.gz
133 tar xvf krb5-1.2.8.tar
134 cd krb5-1.2.8/src
135 ./configure --enable-shared --with-cc=gcc
136 make
137
138 To build version (MIT GSS-API) 1.3.1 with gcc, use "./configure --enable-shared CC=gcc".
139
140 Define the environment variable KRB5DIR to point to MIT KRB5. For example:
141
142 echo $KRB5DIR
143 home/ballfra/external/krb5-1.2.8
144
145 Build and install mod_spnego. For example, Apache 1.3:
146
147 ~~~~~ Only needed for older Kerberos implementation ~~~~~
148 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
149 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5 -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcrypto"
150 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
152 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5"
153 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
154 rm mod_spnego.o mod_spnego.so unix-env.o
155 rm -fr .libs
156 /test/ballfra/apache/bin/apxs -c -a -i -D APACHE13 -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c unix-env.c
157
158 or for HEIMDAL
159
160 ~~~~~ Only needed for older Kerberos implementation ~~~~~
161 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
162 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcrypto"
163 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
164 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
165 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi"
166 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
167 rm mod_spnego.o mod_spnego.so unix-env.o
168 rm -fr .libs
169 /test/ballfra/apache/bin/apxs -c -a -i -D HEIMDAL -D APACHE13 -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c unix-env.c
170
171 and for Apache 2.0:
172
173 ~~~~~ Only needed for older Kerberos implementation ~~~~~
174 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
175 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5 -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcrypto"
176 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
177 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
178 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi_krb5"
179 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
180 rm mod_spnego.o
181 rm -fr .libs
182 /test/ballfra/apache2/bin/apxs2 -c -a -i $MYCFLAGS $MYLDFLAGS mod_spnego.c
183
184 Modify environment variable LD_LIBRARY_PATH to include directories containing
185 libcrypto.so and libgssapi_krb5.so.
186
187 or for HEIMDAL
188
189 ~~~~~ Only needed for older Kerberos implementation ~~~~~
190 MYCFLAGS="-I${KRB5DIR}/src/include -I${FBOPENSSLDIR}/include -I${OPENSSLDIR}/include"
191 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi -L${FBOPENSSLDIR}/SunOS-debug -lfbopenssl -L${OPENSSLDIR} -lcr
192 ypto"
193 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
194 MYCFLAGS="-DHAVE_SPNEGO -I${KRB5DIR}/src/include"
195 MYLDFLAGS="-L${KRB5DIR}/src/lib/gssapi/krb5 -lgssapi"
196 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
197 rm mod_spnego.o
198 rm -fr .libs
199 /test/ballfra/apache2/bin/apxs2 -c -a -i -D HEIMDAL $MYCFLAGS $MYLDFLAGS mod_spnego.c
200
201 or for IBM AIX NAS with IBM HTTP Server 6.0.2.0)
202
203
204 ~~~~~ Only needed for older Kerberos implementation ~~~~~
205 MYCFLAGS="-I/opt/freeware/include"
206 MYLDFLAGS="-L/opt/freeware/lib -lgssapi_krb5 -lfbopenssl -lcrypto"
207 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
208 MYCFLAGS="-DHAVE_SPNEGO -I/opt/freeware/include"
209 MYLDFLAGS="-L/opt/freeware/lib -lgssapi_krb5"
210 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
211 rm mod_spnego.o
212 rm -fr .libs
213 /usr/IBMIHS/bin/apxs -c -a -i -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c
214
215 with libfbopenssl.a in /opt/freeware/lib, fbopenssl headers in /opt/freeware/include, openssl from the AIX Linux Toolkits and xlc compiler.
216
217 or for Sun Solaris SEAM
218
219 ~~~~~ Only needed for older Kerberos implementation ~~~~~
220 MYCFLAGS="-I/usr/sfw/include -Wc,-g"
221 MYLDFLAGS="-lgss -L/usr/sfw/lib -Wl,-R/usr/sfw/lib -lfbopenssl -lcrypto"
222 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
223 MYCFLAGS="-DHAVE_SPNEGO -I/usr/sfw/include -Wc,-g"
224 MYLDFLAGS="-lgss -L/usr/sfw/lib -Wl,-R/usr/sfw/lib"
225 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
226 rm mod_spnego.la mod_spnego.lo mod_spnego.o mod_spnego.slo
227 rm -fr .libs
228 /usr/apache2/bin/apxs -c -a -i -DSEAM -D HAVE_PUTENV $MYCFLAGS $MYLDFLAGS mod_spnego.c
229
230 with libfbopenssl.a in /usr/sfw/lib and fbopenssl headers in /usr/sfw/include
231
232 2.2 Windows
233
234 Install Apache 1.3 or Apache 2.0.
235 For Apache 1.3, define the environment variable APACHE13DIR to point to
236 Apache 1.3. For example:
237
238 echo %APACHE13DIR%
239 C:\Program Files\Apache Group\Apache
240
241 For Apache 2.0, define the environment variable APACHE2DIR to point to
242 Apache 2.0. For example:
243
244 echo %APACHE2DIR%
245 C:\Program Files\Apache Group\Apache2
246
247 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
248 ~~~~~ Only needed for older Kerberos implementation ~~~~~
249 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
250 Build OpenSSL.
251 Define the environment variable OPENSSLDIR to point to OpenSSL. For example:
252
253 echo %OPENSSLDIR%
254 C:\external\openssl-0.9.7b
255
256 Build fbopenssl.
257 Define the environment variable FBOPENSSLDIR to point to fbopenssl. For example:
258
259 echo %FBOPENSSLDIR%
260 C:\frank\src\fbopenssl
261
262 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
263 ~~~~~ Only needed for newer Kerberis implementation and ~
264 ~~~~~ if not Windows SSPI is used ~~~~~~~~~~~~~~~~~~~~~~~
265 ~~~~~ Update mod_spnego.sln with HAVE_SPNEGO ~~~~~~~~~~~~
266 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
267
268 Build MIT GSS-API.
269 Define the environment variable KRB5DIR to point to MIT KRB5. For example:
270
271 echo %KRB5DIR%
272 C:\external\kfw-2.1.2
273
274 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
275 ~~~~~ If Windows SSPI is used ~~~~~~~~~~~~~~~~~~~~~~~~~~~
276 ~~~~~ Update mod_spnego.sln with HAVE_SSPI ~~~~~~~~~~~~~~
277 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
278
279 Using Visual C++ .NET, build the following Win32 Debug and Win32 Release
280 configurations:
281
282 mod_spnego\mod_spnego.sln
283 mod_spnego\mod_spnego_have_spnego.sln
284 mod_spnego\mod_spnego_have_sspi.sln
285
286 Install mod_spnego. Note that mod_spnego is named mod_spnego.so on Windows, not
287 mod_spnego.dll.
288
289 3 Configuration
290
291 Obtain a keytab file for the service HTTP for your server (only if SSPI is not used).
292
293 Copy the keytab file to the default location or define the environment
294 variable KRB5_KTNAME to point to the keytab file. The default keytab files for
295 UNIX and Windows are /etc/krb5.keytab and \winnt\krb5kt. When defining
296 KRB5_KTNAME on Windows, use backslashes (not forward slashes) and do not specify
297 a drive letter (e.g., C:).
298
299 For each directory that you want to secure, specify the following directives
300 inside an httpd.conf Directory directive:
301
302 AllowOverride AuthConfig
303 [Krb5KeyTabFile key-tab-file]
304 Krb5ServiceName service-name
305
306 where service-name is a list of Kerberos version 5 service name to be used by
307 mod_spnego (e.g., HTTP http khttp) and key-tab-file points to a Kerberos version 5 keytab
308 file. The lowercase http has been seen from Mac Browsers and khttp was in some Mozilla
309 versions used.
310 You can also use GSS_C_NO_NAME to match any service name.
311
312 For example:
313
314 <Directory "/home/bob/apache2/htdocs">
315 Options Indexes FollowSymLinks
316 AllowOverride AuthConfig
317 Order allow,deny
318 Allow from all
319 # not valid with SSPI
320 Krb5KeyTabFile /home/alice/krb5kt
321 #
322 Krb5ServiceName HTTP
323 </Directory>
324
325 The Krb5KeyTabFile directive(not valid with SSPI) causes the environment variable KRB5_KTNAME to be
326 set. Please note that the authors were not able to successfully place a keytab
327 file in a place other than \winnt\krb5kt on Windows 2000.
328 With SSPI add the service principal to the machine account on which Apache is running using setpsn.
329 e.g. SETSPN -A HTTP/server.domain server
330
331
332 Inside each (file system) directory, create a file named .htaccess file
333 containing the following:
334
335 AuthType SPNEGO
336 Require {user user-list} | valid-user
337
338 where user-list is a list of Kerberos principal names separated by spaces that
339 are authorized to access the directory's files.
340
341 For example:
342
343 AuthType SPNEGO
344 Require user alice@FOO.COM bob@FOO.COM david@FOO.COM
345
346 or
347
348 AuthType SPNEGO
349 Require valid-user
350
351 Please note that the authors have experienced inconsistent behavior when the
352 AllowOverride directive is set to None and no .htaccess file is used (see Open
353 Issues).
354
355 By default, mod_spnego requires Kerberos authentication for each HTTP request.
356 To configure mod_spnego on Apache 2.0 or higher to only require Kerberos
357 authentication for the first request in each HTTP 1.1 Keep-Alive connection,
358 specify the following httpd.conf server directive:
359
360 Krb5AuthEachReq Off
361
362 By default, Krb5AuthEachReq is set to On. Krb5AuthEachReq is not supported on
363 Apache 1.3.
364
365 To create a http/hostname@REALM.COM service principal you have to copy the
366 HTTP/hostname@REALM.COM entry in the keytab (As far as I know you cannot have a HTTP and
367 http service principal in AD for the same server)
368
369 First do a list of the keytab file (I am assuming you use MIT Kerberos):
370
371 # klist -k -e -K -t /etc/httpd/HTTP.keytab
372 Keytab name: FILE:/etc/httpd/HTTP.keytab
373 KVNO Timestamp Principal
374 ---- ----------------- --------------------------------------------------------
375 1 11/29/04 11:42:25 HTTP/moelma.test.com@TEST.COM (ArcFour with HMAC/md5) (0x0d41ede6808
376 2fc5b8611dc5da75b5d4f)
377
378 Then do a ktutil with the following commands:
379 #ktutil
380 ktutil: addent -key -p http/moelma.test.com@TEST.COM -k 1 -e rc4-hmac
381 Key for http/moelma.test.com@TEST.COM (hex): 0d41ede68082fc5b8611dc5da75b5d4f
382 ktutil: wkt /etc/httpd/HTTP.keytab
383 ktutil: quit
384
385 Use the same kvno and enc-type as the HTTP entry. This should create a second entry
386 (with the service name http) to the keytab with the same key as for the HTTP service.
387
388 4 Architecture
389
390 -------------------------
391 | Apache |
392 |-------------------------|
393 | mod_spnego |
394 |-------------------------|
395 | fbopenssl | MIT GSS-API |
396 |-----------|-------------
397 | OpenSSL |
398 -----------
399
400 5 Debugging
401
402 5.1 Windows
403
404 The authors were not able to successfully attach a debugger on Windows by
405 calling DebugBreak (or __asm {int 3}), but were able to debug mod_spnego within
406 Visual Studio:
407
408 Open module in Visual Studio.
409 Build debug version of module.
410 Configure project's Debugging property to run "Apache.exe -X". For example:
411
412 Command: C:\Program Files\Apache Group\Apache2\bin\Apache.exe
413 Command Arguments: -X
414 Working Directory: C:\Program Files\Apache Group\Apache2\bin
415
416 Configure httpd.conf to point to debug version of module.
417 From Visual Studio, set breakpoints and run debugger (F5).
418
419 Please note that the command-line option -X is documented for httpd on Linux and
420 UNIX, but not for Apache.exe on Windows. "apache.exe /?" does not list -X.
421
422 6 References
423
424 Baize, E. and Pinkas, D. RFC 2478: The Simple and Protected GSS-API Negotiation
425 Mechanism. December 1998.
426
427 Brezak, J. Internet Draft: HTTP Authentication: SPNEGO Access Authentication As
428 implemented in Microsoft Windows 2000 (draft-brezak-spnego-http-04.txt). October
429 2002.
430
431 Surati, Sanj and Muckin, Michael. HTTP-Based Cross-Platform Authentication via
432 the Negotiate Protocol Part I — Network Infrastructure
433 (http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-1.asp). December
434 2002.
435
436 Surati, Sanj and Muckin, Michael. HTTP-Based Cross-Platform Authentication via
437 the Negotiate Protocol Part II — SPNEGO Tokens and the Negotiate Protocol
438 (http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-2.asp). December
439 2002.
440
441 Surati, Sanj and Muckin, Michael. HTTP-Based Cross-Platform Authentication via
442 the Negotiate Protocol Part III — SPNEGO Token Handler API
443 (http://msdn.microsoft.com/library/en-us/dnsecure/html/http-sso-3.asp). December
444 2002.
445
446 Tschalar, Ronald. NTLM Authentication Scheme for HTTP
447 (http://www.innovation.ch/java/ntlm.html). June 17, 2003.
448
449 7 Bug Fixes and Enhancements
450
451 2003-11-14 mod_spnego.c:184 Fixed apr_pcalloc call to take length, not address
452 of value.
453
454 2004-01-19 Applied patch from Frank Taylor to handle SPNEGO tokens containing
455 Microsoft legacy object identifier 1.2.840.48018.1.2.2.
456
457 2005-01-24 Added support for server directive Krb5AuthEachReq on Apache 2.0.
458 Implementation is based on code from Horst Reiterer of Fabalabs.
459
460 2005-01-25 Added support for RFC 1964 Kerberos tokens as sent by Firefox on
461 Linux.
462
463 2005-04-14 Added detection and logging of NTLM tokens.
464
465 2005-08-08 Changed Krb5ServiceName to be a list of service names.
466 Added the possibility of using Virtual Hosts
467
468 2005-08-19 Fix logging issues and empty require line
469
470 2007-10-27 Changed license from GPL to Apache 2.0
471
472 2007-10-27 Add option HAVE_SPNEGO as newer Keberos libraries support SPNEGO too
473
474 8 Open Issues
475
476 Modify makeSpnegoTargetToken and parseSpnegoInitialToken so that caller
477 allocates memory with apr_pcalloc?
478
479 Test log levels to control log output.
480
481 Make success log messages user friendly. For example:
482
483 mod_spnego: authentication hook handling request
484 mod_spnego: authentication hook sending "WWW-Authenticate: Negotiate"
485 mod_spnego: authentication hook returning 401
486 mod_spnego: authentication hook handling request for user %s
487 mod_spnego: authentication hook sending "WWW-Authenticate: Negotiate" and SPNEGO token
488 mod_spnego: authentication hook returning %d
489 mod_spnego: authorization hook handling request for user %s
490 mod_spnego: authorization hook returning %d
491
492 How expensive is calling gss_import_name and gss_acquire_cred per request? Is it
493 necessary to call these functions per request?
494
495 Add debug directives to write input and output SPNEGO tokens to files?
496
497 gss_accept_sec_context seems to return 851968 if there is too much time skew
498 between client and server. GSS-API? Is it possible to programmatically determine
499 that gss_accept_sec_context failed because of time skew? Also, mod_spnego does
500 not include KRB-ERROR message output by gss_accept_sec_context in SPNEGO
501 response token.
502
503 Test with no Require directive in .htaccess.
504
505 Should the Krb5ServiceName directive be mandatory? SPNEGO_CONFIG's
506 krb5ServiceName element could be initialized to "HTTP".
507
508 The authors were not able to successfully place a keytab file in a place other
509 than \winnt\krb5kt on Windows 2000.
510
511 Windows project and solution files were built with Visual C++ .NET 2003.
512
513 For Apache 1.3 on Solaris, make sure each Directory directive contains the
514 following directive:
515
516 AllowOverride AuthConfig
517
518 On Apache 1.3 on Windows, apr_env_set (in win32-env.c) is forced to call
519 SetEnvironmentVariableA.
520
521 Test with "AllowOverride None" and the following directives in httpd.conf, not
522 in .htaccess:
523
524 AuthType SPNEGO
525 Require ...