GSSAPI uses a secured (encrypted + MAC-ed) payload to maintain state in the
session cookie. The session cookie lifetime depends on the lifetime of the
GSSAPI session established at authentication.
-NOTE: It is important to correctly set the SessionCookieName option.
+**NOTE**: It is important to correctly set the SessionCookieName option.
See the
[mod_sessions](http://httpd.apache.org/docs/current/mod/mod_session.html)
documentation for more information.
populated with the user's provided ticket which is later used as evidence
ticket by the application.
+**Note:** This flag has no effect when Basic-Auth is used since user's
+credentials are delegated anyway when GssapiDelegCcacheDir is set.
+
#### Example
GssapiUseS4U2Proxy On
GssapiCredStore keytab:/etc/httpd.keytab
### GssapiBasicAuth
Allows the use of Basic Auth in conjunction with Negotiate.
-If the browser fails to use Negotiate is will instead fallback to Basic and
+If the browser fails to use Negotiate it will instead fallback to Basic and
the username and password will be used to try to acquire credentials in the
-module via GSSAPI. If credentials are acquire successfully then they are
+module via GSSAPI. If credentials are acquired successfully then they are
validated against the server's keytab.
- **Enable with:** GssapiBasicAuth On
GssapiBasicAuthMech krb5
-#### GssapiNameAttributes
+### GssapiNameAttributes
Enables the module to source Name Attributes from the client name
(authorization data associated with the established context) and exposes them
error string in case the inquire name function fails to retrieve attributes,
and with the string "0 attributes found", if no attributes are set.
-Note: These variables are NOT saved in the session data stored in the cookie so they
-are available only on the first authenticated request when GssapiUseSessions is
-used.
+**Note**: These variables are NOT saved in the session data stored in the
+cookie so they are available only on the first authenticated request when
+GssapiUseSessions is used.
-Note: It is recommended but not required to use only capital letters and underscores
-for environment variable names.
+**Note:** It is recommended but not required to use only capital letters and
+underscores for environment variable names.
#### Example
GssapiNameAttributes json
GssapiNameAttributes RADIUS_NAME urn:ietf:params:gss:radius-attribute_1
+
+
+### GssapiNegotiateOnce
+
+When this option is enabled the Negotiate header will not be resent if
+Negotiation has already been attempted but failed.
+
+Normally when a client fails to use Negotiate authentication, a HTTP 401
+response is returned with a WWW-Authenticate: Negotiate header, implying that
+the client can retry to use Negotiate with different credentials or a
+different mechanism.
+
+Consider enabling GssapiNegotiateOnce when only one single sign on mechanism
+is allowed, or when GssapiBasicAuth is enabled.
+
+**NOTE:** if the initial Negotiate attempt fails, some browsers will fallback
+to other Negotiate mechanisms, prompting the user for login credentials and
+reattempting negotiation. This situation can mislead users - for example if
+krb5 authentication failed and no other mechanisms are allowed, a user could
+be prompted for login information even though any login information provided
+cannot succeed. When this occurs, some browsers will not fall back to a Basic
+Auth mechanism. Enable GssapiNegotiateOnce to avoid this situation.
+
+- **Enable with:** GssapiNegotiateOnce On
+- **Default:** GssapiNegotiateOnce Off
+