hi List!

i´ve succesfully configured Kerberos Single Sign On with Apache 2.2 and mod_auth_kerb on Linux and Microsoft ActiveDirectory with OTRS HTTPBasicAuth.

It works fine - our Customers / Agents don´t have to logon manually, they get authenticated automagically by Internet Explorer. Only the Agents have to be created before in the OTRS System, Customer Attributes are synchronized via LDAP. Feel free to ask me, if you have more questions about this configuration...  

A Problem was that the Username is passed as " USERNAME@DOMAIN.COM " from the mod_auth_kerb modul.

So when a customer is authenticated as CUSTOMER@DOMAIN.COM AND you want to use samAccountName as customer-id, you have to cut off the @DOMAIN.COM from the username. Instead of using samAccountName as customer-id mapping you also can use "userPrincipalName" which would be in the USERNAME@DOMAIN.COM Format..

for some strange reasons we have to use samAccountName and we can set:

$Self->{'AuthModule::HTTPBasicAuth::Replace'} ='@DOMAIN.COM;

$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} ='@DOMAIN.COM';

but in the Code it looks like this:

--HTTPBasicAuth.pm--

Line 77: $User =~ s/^\Q$Replace\E//;

IMHO it should look like this:

$User =~ s/\Q$Replace\E//i;

( without the ^  - Match the beginning of the line )

because Username-Domain-Format can vary depending on the used Webserver-Modul, e.g. modntlm or mod_auth_kerb:

NTLM: domain.com\username

Kerberos: username@domain.com

more?...

maybe it is worthy enough to change it in the code?

thanks/greets

jakob