Had an interesting behavior on one of our Apache servers the last days. It is serving our Subversion (SVN) repositories and all did fine until our Apache upgrade from
2.4. Some of our clients, to be precise the ones using Windows and/or TortoiseSVN and accessing our server with Putty through our SSH gateway, got a
500 internal server error. All other Windows and Linux clients did fine with Kerberos or basic authentication.
Okay, having a look at the Apache logs revealed the following line for each failed request:
[* * * *:*:*.* *] [authn_core:error] [pid *] [client *.*.*:*] AH01796: AuthType VAS4 configured without corresponding module
Huh? Asking the Apache process about all modules loaded showed this:
$> apachectl -M | grep -i vas auth_vas4_module (shared)
Mmh? The module exists, is loaded, but still that kind of error log?
After digging through the Apache core modules source and finding the line which creates this error message you can see that the specific VAS4 authentication module function registered for that core hook gets in fact executed. But it fails due to an invalid authentication request which in turn causes Apache to log the aforementioned (and in this case a bit misleading) line from the hook.
But the modules documentation revealed some interesting options especially for this case! The whole internal server error thingy is caused by Windows clients which try NTLM authentication instead of falling back to Basic authentication when they see a
WWW-Authenticate: Negotiate header in the servers reply.
Now there's this nifty option called
AuthVasUseNegotiate which can be used to enable that header for specified subnets only. In my case i just need to exclude a single IP (our SSH gateway) so that all clients coming from that gateway IP won't see that header anymore. Therefore, instead of leaving out a whole subnet (and deny all other hosts in this subnet from using Kerberos) i split up that one into smaller chunks of subnets but exclude the subnet declaration for the single host. An example would be a class c subnet of 254 hosts like
192.168.1.2 as the IP of the host we want to exclude, than the Apache VAS4 configuration option would look like:
<ifmodule mod_auth_vas4.c> AuthVasUseNegotiate 192.168.1.128/25 192.168.1.64/26 192.168.1.32/27 192.168.1.16/28 192.168.1.8/29 192.168.1.4/30 192.168.1.0/31 192.168.1.3/32 </ifmodule>
Clients who got their internal server error before will see the username-password-window for basic authentication now and all others won't recognize any difference.