Hi,

Following discussion #268 I would like to please ask for an enhancement to provide a method by which the session cookie could possibly retain a timestamp, so that the GSSAPI module can differentiate a return request without the Authorization: Negotiate header and subsequently respond with a 302 redirect to a basic auth URL.

I'm essentially asking for something along the lines of GssapiAuthoritative, which would work similarly to how I understand the KrbAuthAuthoritative function in mod_auth_kerb to work.

We are hoping to achieve having fully transparent and automated Kerberos authentication whilst providing a fall through basic auth method of authenticating 3rd parties using the basic auth module with AuthUserFile.

The same discussion thread referenced above contains a sample Apache 2.4 configuration for requiring authentication to a reverse proxy resource and works with Chrome on Android, Safari on iOS and Firefox on Windows. Chromium based browsers on a domain joined workstation however do not honour the 401 metadata refresh redirect method.

Regards
David Herselman