lighttpd is dynamically configured and used with only its mod_dav module to create persistent WebDAV servers with per-user AFS PAGs on incrementally free localhost TCP ports.

Apache uses mod_rewrite to process requests in the following manner:

  1. read the authentication tokens and pipe them to a rewrite map program (in python):
    1. verify the principal and password
    2. if no lighttpd instance is running for this user, configure and allocate a port for subsequent requests
  2. proxy the authenticated user to their port via localhost

Authentication Details

  1. mod_auth_kerb attempts to authenticate the user with Negotiate (SPNEGO)
  2. Basic authentication headers are sent (Digest not necessary over SSL)
    1. save an SHA1 for verifying access to port for subsequent requests

Many clients will Negotiate (SPNEGO) but will not delegate tickets. This renders Kerberos authentication useless for this model (the gateway is unprivileged). Tickets must be delegated to the server in order to request AFS tokens on behalf of the user's principal.

This server keeps a cache of Negotiate attempts and stops advertising SPNEGO to the client for 5 minutes after 3 failed attempts. This results in a superior user experience for clients that do not perform Basic HTTP authentication fallback.


  • Firefox
    • Negotiate+Delegation works
    • configure 'network.negotiate-auth.trusted-uris' and 'network.negotiate-auth.delegation-uris' in <about:config>
    • no known issues (tested 2.0)
  • Mac OS X Finder
    • Connect to server; Cmd-K
    • mount_webdav does not delegate tickets
    • no known issues (tested 10.4)
  • cadaver
    • no known issues (tested 0.22.3)
  • Microsoft Web Folders
    • MIT Network Identity Manager does not delegate tickets (disable SPNEGO by UserAgent)
    • no known issues (tested XP)


Deprecated: (presbrey) mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /afs/ on line 63

Retrieved from ""

This page has been accessed 7,247 times. This page was last modified on 29 October 2007, at 17:44.