I'm trying to set up Kerberos SSO with Apache (mod_auth_gssapi) and Symfony (7.4.12) on Debian (12).
My Configuration:
Apache 2.4
mod_auth_gssapi
HTTPS enabled
Google Chrome on Windows clients
Kerberos realm configured correctly
Service principal:
HTTP/domain.com@REALM.LOCALKeytab loaded successfully (
klist -kshows the principal)REMOTE_USERis passed correctly to Symfony when authentication succeeds
Current Apache configuration:
Kerberos authentication itself appears to work correctly.
When Chrome displays the Windows credentials popup and the user enters their domain credentials, authentication succeeds, Apache recognizes the user, REMOTE_USER is populated correctly, and Symfony logs the user in as expected.
However, this is not the behavior I want.
My goal is:
If the user is logged into Windows with a valid domain account, Chrome should perform transparent Kerberos SSO automatically.
If the user is not logged into Windows with a valid domain account (or Kerberos cannot be used), I want Apache to immediately return a custom 401 page.
I do not want Chrome to display a credentials popup and allow manual authentication.
Checks already performed:
DNS resolves correctly
HTTPS certificate is valid
SPN exists in Active Directory
Keytab contains the correct principal
Apache reloads without errors
Kerberos authentication works after manual credential entry
Questions:
Why is Chrome displaying a credentials popup instead of performing transparent Kerberos authentication?
Is it possible to completely disable manual credential prompts and only allow automatic Kerberos SSO?
If Kerberos negotiation fails, how can I force Apache to return a 401 page instead of prompting for credentials?
Are there specific Chrome policies or Apache/mod_auth_gssapi settings required for this behavior?
How can I verify whether Chrome is actually attempting Kerberos authentication before showing the popup?
Any help would be appreciated. TY