Had an interesting behavior of one of our Apache servers the last days. It is serving our Subversion (SVN) repositories and all did fine until our Apache upgrade from
2.4. Some of our clients, to be precise the ones using Windows and/or TortoiseSVN and accessing our server with Putty through our SSH gateway, got an
500 internal server error. All other Windows and Linux clients did fine with Kerberos or Basic authentication. Okay, having a look at the apache logs revealed the following line for each failed request:
[* * * *:*:*.* *] [authn_core:error] [pid *] [client *.*.*:*] AH01796: AuthType VAS4 configured without corresponding module
Huh? Asking the apache process about all modules loaded showed this:
$> apachectl -M | grep -i vas auth_vas4_module (shared)
Mmh? The module exists, is loaded, but still that kind of error log? After digging through the modules source and finding the lines which create this error message you can see that the VAS4 authentication module can't handle that type of request. And the modules documentation revealed some interesting options especially for this case!
The whole internal server error thingy is caused by Windows clients which try NTLM authentication instead of falling back to Basic authentication when they see a
WWW-Authenticate: Negotiate header in the servers reply. Now there's this nifty option called
AuthVasUseNegotiate which can be used to enable that header for specified subnets only.
In my case i just need to exclude a single IP (our SSH gateway) so that all clients coming from that gateway IP won't see that header anymore. Therefore, instead of leaving out a whole subnet (and deny all other hosts in this subnet from using Kerberos) i split up that one into smaller chunks of subnets but exclude the subnet declaration for the single host. An example would be a class c subnet of 254 hosts like 192.168.1.0/24 with 192.168.1.2 as the IP of the host we want to exclude, than the Apache VAS4 configuration option would look like:
<IfModule mod_auth_vas4.c> AuthVasUseNegotiate 192.168.1.128/25 192.168.1.64/26 192.168.1.32/27 192.168.1.16/28 192.168.1.8/29 192.168.1.4/30 192.168.1.0/31 192.168.1.3/32 </IfModule>
Now clients who got their internal server error before will see the username password window for authentication and all others won't recognize any difference.