Apache Kerberos Authentication and basic authentication fallback
This post is more than 10 years old. I do not delete posts, because even old information is still useful, but please know that some material on this page may be outdated or incorrect. Thanks!
Many businesses and organizations use Active Directory or other LDAP-based authentication systems, and many web applications (like Drupal) can easily integrate with them for authentication and user account provisioning.
The Kerberos Module for Apache allows users to be automatically logged into your web application, by passing through their credentials behind the scenes. This makes for a seamless user experience—the user never needs to log into your web application if the user is authenticated on his local machine.
A standard configuration for Kerberos authentication inside your Apache configuration file looks like:
<Directory "/path/to/site/root">
# By default, allow access to anyone.
Order allow,deny
Allow from All
# Enable Kerberos authentication using mod_auth_kerb.
AuthType Kerberos
AuthName "Your Web Application"
KrbAuthRealm example.com
Krb5KeyTab "/path/to/krb5.keytab"
KrbMethodNegotiate on
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName Any
Require valid-user
</Directory>
However, if you use this configuration, users who aren't authenticated via Kerberos will be prompted to log in using basic authentication by their browser:

This browser-based auth dialog is not very user-friendly, and can't contain any branding or other information besides the string you define as the AuthName. Your web application probably has it's own login screen that looks nicer, allows users to manage passwords like they do with other websites, and already integrates with LDAP/AD behind the scenes.
So, to disable/ignore the basic authentication when automatic Kerberos authentication fails, you need to modify your config to be like the following:
<Directory "/path/to/site/root">
# By default, allow access to anyone.
Order allow,deny
Allow from All
# Require authentication for internal private network users.
Deny from 10.0.0.0/8
# Enable Kerberos authentication using mod_auth_kerb.
AuthType Kerberos
AuthName "Your Web Application"
KrbAuthRealm example.com
Krb5KeyTab "/path/to/krb5.keytab"
KrbMethodNegotiate on
KrbSaveCredentials on
KrbVerifyKDC on
KrbServiceName Any
Require valid-user
Satisfy Any
</Directory>
Removing Require valid-user and adding Satisfy Any tells Apache to still attempt Kerberos authentication, but if that fails, allow access anyways. Then your web application can take care of the authentication using it's own screen/mechanism.
Read more:
Comments