
This is a modeule based on http://meta.cesnet.cz/software/heimdal/negotiate.en.html.

It uses Microsofts example code from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-3.asp

The Browser setup is described at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp.

The configure  with MIT Kerberos installed in /usr/kerberos can look like:

with apxs and libspnegohelp.so in /usr/lib

/usr/sbin/apxs -i -a -c -DEAPI_MM -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/kerberos/include -L/usr/kerberos/lib -L/usr/lib -Wl,-R/usr/kerberos/lib -Wl,-R/usr/lib -lspnegohelp -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err mod_auth_gss_krb5.c

or on Suse Linux 8.0

CFLAGS="-g" \
LDFLAGS="-g" \
INCLUDES="-I/usr/kerberos/include" \
OPTIM="-O2 -march=i586 -mcpu=i686 -fmessage-length=0 \$(OPTIM_ARCH) -DEAPI_MM -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=2048 -DDYNAMIC_MODULE_LIMIT=128 " \
LIBS="-L/usr/X11R6/lib/ -lmm -Wl,-R/usr/kerberos/lib `pwd`/spnegohelp/libspnegohelp.a -L/usr/kerberos/lib -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err" \
SSL_BASE="SYSTEM" \
./configure \
"--with-layout=Apache" \
"--prefix=/srv/www" \
"--bindir=/usr/bin" \
"--sbindir=/usr/sbin" \
"--datadir=/srv/www" \
"--sysconfdir=/etc/httpd" \
"--mandir=/usr/share/man" \
"--logfiledir=/var/log/httpd" \
"--localstatedir=/var/lib" \
"--runtimedir=/var/run" \
"--libexecdir=/usr/lib/apache" \
"--proxycachedir=/var/cache/http" \
"--includedir=/usr/include/apache" \
"--enable-module=all" \
"--disable-module=example" \
"--enable-module=ssl" \
"--enable-shared=max" \
"--with-perl=/usr/bin/perl" \
"--disable-rule=WANTHSREGEX" \
"--enable-rule=EAPI" \
"--server-uid=wwwrun" \
"--server-gid=nogroup" \
"--enable-suexec" \
"--suexec-caller=wwwrun" \
"--suexec-userdir=public_html" \
"--suexec-uidmin=96" \
"--suexec-gidmin=96" \
"--suexec-safepath=/bin:/usr/bin" \
"--suexec-logfile=/var/log/httpd/suexec.log" \
"--without-confadjust" \
"--activate-module=src/modules/extra/mod_auth_gss_krb5.c"


or on Solaris 2.8

CFLAGS="-g" \
LDFLAGS="-g" \
INCLUDES="-I/usr/kerberos/include" \
OPTIM="-O2 -DEAPI -fPIC -D_LARGEFILE_SOURCE -DHARD_SERVER_LIMIT=2048 -DDYNAMIC_MODULE_LIMIT=128 " \
LIBS="-R/usr/kerberos/lib `pwd`/spnegohelp/libspnegohelp.a -L/usr/kerberos/lib -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err" \
SSL_BASE="SYSTEM" \
./configure \
"--with-layout=Apache" \
"--prefix=/usr/apache" \
"--bindir=/usr/bin" \
"--sbindir=/usr/sbin" \
"--datadir=/usr/apache" \
"--sysconfdir=/etc/apache" \
"--mandir=/usr/share/man" \
"--logfiledir=/var/apache/logs" \
"--localstatedir=/var/apache/lib" \
"--runtimedir=/var/run" \
"--libexecdir=/usr/apache/libexec" \
"--proxycachedir=/var/apache/cache" \
"--includedir=/usr/apache/include" \
"--enable-module=all" \
"--disable-module=example" \
"--enable-module=ssl" \
"--enable-shared=max" \
"--with-perl=/usr/bin/perl" \
"--disable-rule=WANTHSREGEX" \
"--enable-rule=EAPI" \
"--server-uid=wwwrun" \
"--server-gid=nogroup" \
"--enable-suexec" \
"--suexec-caller=wwwrun" \
"--suexec-userdir=public_html" \
"--suexec-uidmin=96" \
"--suexec-gidmin=96" \
"--suexec-safepath=/bin:/usr/bin" \
"--suexec-logfile=/var/apache/logs/suexec.log" \
"--without-confadjust" \
"--activate-module=src/modules/extra/mod_auth_gss_krb5.c"

The httpd.conf should contain something like:
.
.
.
AddModule mod_auth_gss_krb5.c
#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/srv/www/htdocs">

          GssKrb5Keytab "/etc/httpd/HTTP.keytab"
           Krb5Keytab "/etc/httpd/HTTP.keytab"
           GssKrb5ServicePrincipals http HTTP khttp
           GssKrb5AuthRealms REALM.COM
           KrbAuthRealm REALM.COM
           Krb5SaveCredentials Off
           AuthType KerberosV5
           GssAuth On
           AuthName "KRB5 REALM.COM"
           require valid-user

.
.
. 



with HTTP.keytab containing a service key HTTP/hostname@REALM (readable by apache run user .e.g. wwwrun) and/or http/hostname@REALM.COM and/or khttp/hostname@REALM.COM for different Browser support.
Since MS doesn't in some cases check the case a lowercase http entry can be send by Browser like the Mac Browser. To create a http/hostname@REALM.COM service principal you have to copy the HTTP/hostname@REALM.COM entry in the keytab (As far as I know you cannot have a HTTP and http service principal in AD for the same server)

First do a list of the keytab file (I am assuming you use MIT Kerberos): 
 
# klist -k -e -K -t /etc/httpd/HTTP.keytab 
Keytab name: FILE:/etc/httpd/HTTP.keytab 
KVNO Timestamp Principal 
---- ----------------- -------------------------------------------------------- 
1 11/29/04 11:42:25 HTTP/moelma.test.com@TEST.COM (ArcFour with HMAC/md5) (0x0d41ede68082fc5b8611dc5da75b5d4f) 
 
Then do a ktutil with the following commands: 
#ktutil 
ktutil: addent -key -p http/moelma.test.com@TEST.COM -k 1 -e rc4-hmac 
Key for http/moelma.test.com@TEST.COM (hex): 0d41ede68082fc5b8611dc5da75b5d4f 
ktutil: wkt /etc/httpd/HTTP.keytab 
ktutil: quit 
 
Use the same kvno and enc-type as the HTTP entry. This should create a second entry (with the service name http) to the keytab with the same key as for the HTTP service. 


It was tested with IE 6.0, Firefox 1.0.x on Windows XP, Firefox 1.0.x on Linux, Apache 1.3.26 on Suse Linux 8.x and Solaris 2.8, MIT Kerberos 1.2.4 and Windows 2000 kdc. 

Version 0.0.4 allows Firefox/Mozilla without SPNEGO wrapping to connect. 

A virtual server setup could look like:
#
# Use name-based virtual hosting.
#
NameVirtualHost *

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
<VirtualHost *>
    ServerAdmin webmaster@www.realm1.com
    DocumentRoot "/srv/www/htdocs/domain1"
    ServerName www.realm1.com
    ErrorLog /var/log/httpd/error_log_realm1
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog /var/log/httpd/access_log_realm1 common
</VirtualHost>
<VirtualHost *>
    ServerAdmin webmaster@www.realm2.com
    DocumentRoot "/srv/www/htdocs/domain2"
    ServerName www.realm2.com
    ErrorLog /var/log/httpd/error_log_realm2
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog /var/log/httpd/access_log_realm2 common
</VirtualHost>

<Directory "/srv/www/htdocs/domain1">
           GssKrb5Keytab "/etc/httpd/HTTP-REALM1.keytab"
           Krb5Keytab "/etc/httpd/HTTP-REALM1.keytab"
           GssKrb5AuthRealms REALM1.COM
           KrbAuthRealm REALM1.COM
           Krb5SaveCredentials Off
           GssAuth On
           AuthType KerberosV5
           GssKrb5ServicePrincipals http HTTP khttp
           AuthName "KRB5 REALM1.COM"
           require valid-user
.
.
.
.
.
</Directory>
<Directory "/srv/www/htdocs/domain2">

           GssKrb5Keytab "/etc/httpd/HTTP-REALM2.keytab"
           Krb5Keytab "/etc/httpd/HTTP-REALM2.keytab"
           GssKrb5AuthRealms REALM2.COM
           KrbAuthRealm REALM2.COM
           Krb5SaveCredentials Off
           GssAuth On
           AuthType KerberosV5
           GssKrb5ServicePrincipals http HTTP khttp
           AuthName "KRB5 REALM2.COM"
           require valid-user

.
.
.
.
.
</Directory>


Markus 
