Hi,
i know this issue was already opened several times but im trying now for several days and can't get it to work.

Like already suggested i created a single sign on route which only tries to do the krb5 authentification and have a fallback login route for manual login via php.

The Web application is build with Laravel Livewire.

The Webserver is Ubuntu 22.04 and DC Windows Server with Active Directory.
My Apache Config looks like this:
Site Config:
<Directory /var/www/html/workflow2/public> #.htaccess AllowOverride All #LDAP Include /etc/apache2/conf-available/ldap.conf #Sessions Include /etc/apache2/conf-available/sessions.conf #GssApi Include /etc/apache2/conf-available/gssapi.conf #Set Keytab File GssapiCredStore keytab:/etc/sr-webjs-01.keytab </Directory> LogLevel info auth_gssapi:debug
gssapi Config:
#GSSAPI Config GssapiConnectionBound On GssapiUseSessions On AuthType GSSAPI GssapiBasicAuth Off GssapiPublishMech On GssapiAllowedMech krb5 GssapiLocalName On AuthName ""

Session Config:
<IfModule mod_session.c> Session on </IfModule> <IfModule mod_session_cookie.c> SessionCookieName gssapi_session path=/;httponly;secure; </IfModule>
.htaccess:
`
GssapiConnectionBound Off


Options -MultiViews -Indexes

RewriteEngine On

# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Send Requests To Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]

<If "'%{REQUEST_URI}' =~ m#/?sso(/.*)?#">
    GssapiNegotiateOnce On
    SessionCookieName gssapi_session path=/sso;httponly;secure;
    require valid-user
    ErrorDocument 401 /login
</If>

When i enable GssapiNegotiateOnce my Apache logs following errors:

[Wed Jan 22 14:45:04.389423 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(904): [client 10.10.10.15:53315] URI: /sso, no main, no prev, referer: [Wed Jan 22 14:45:04.389519 2025] [auth_gssapi:info] [pid 2935162] [client 10.10.10.15:53315] NO AUTH DATA Client did not send any authentication headers, referer: [Wed Jan 22 14:45:04.389597 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer: [Wed Jan 22 14:45:04.389661 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer: [Wed Jan 22 14:45:04.497157 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(904): [client 10.10.10.15:53315] URI: /sso, no main, no prev, referer: [Wed Jan 22 14:45:04.497579 2025] [auth_gssapi:error] [pid 2935162] [client 10.10.10.15:53315] INTERNAL ERROR Mechanism needs continuation but neither GssapiConnectionBound nor GssapiUseSessions are configured, referer: [Wed Jan 22 14:45:04.497662 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer: [Wed Jan 22 14:45:04.497751 2025] [auth_gssapi:debug] [pid 2935162] mod_auth_gssapi.c(737): [client 10.10.10.15:53315] GSSapiImpersonate not On, skipping impersonation., referer:
As soon i set GssapiNegotiateOnce to Off SSO works like a charm.
I want to achieve a SSO / Guest access but without the Browser Auth Popup - so if no sso is available it should fallback to /login without any popups.

Kind regards