RapidIdentity Product Guide

An internal engineering ticket was opened to address an issue with automatic Kerberos processing and, as such, we've had to slightly adjust how Kerberos works. Specifically, there is a new option in the Kerberos Configuration which allows an admin to toggle "Automatic Kerberos Processing". From the server's point of view if automatic processing is turned off, this means that all Kerberos requests made at the very beginning of the process will automatically fail, however the response from the normal init call at /idp/ws/rest/authn/ will have a new allowKerberos flag set to true. This indicates to the client that manual Kerberos authentication is enabled and the user should be given the option to do so if they wish. A manual Kerberos request is exactly the same as the automatic one except that a request parameter requested must be present with the value true.

GET /idp/ws/rest/authn/krb?requested=true HTTP/1.1
Accept: application/json

Everything else about the response will be the same as with automatic processing.

If the Kerberos authentication method is enabled for a given policy, it means that Kerberos authentication is required to have completed successfully or authentication will automatically fail.

If Kerberos criteria is enabled for a given policy, it means that only users who have successfully completed Kerberos authentication will be eligible for that policy.

This example demonstrates how to attempt Kerberos authentication against RapidFederation using JQuery

< script > 

  $.ajax({
        type: 'GET',
        url: '/idp/ws/rest/authn/krb',
        cache: false,
        async: true,
        xhrFields: {
            withCredentials: true
        }
    }).done(function(data) { //data should contain a JSON object }).fail(function() { 
    //kerberos failed, go ahead and call /idp/ws/rest/authn to get the first step 
    }); 
</script>