Reduce Kerberos load for WebApp

  • Hello,

    Running Kopano 8.6.6 + WebApp 3.4.19 on Apache 2.4. The setup for SSO is completed, e.g. a browser on a joined client can use WebApp.

    WebApp is set up to run on https://<servername>/ using the Alias definition

    Alias / /usr/share/kopano-webapp/

    Some other namespaces (for instance z-push) are aliased before, no problem with them. But now every request into the webapp has to pass the Kerberos validation. For Firefox, this leads to a flood of “unauthenticated - 401 - authenticated - 200” request pairs, and occasionally a 401 is not followed by the 200. (While the app is initializing, there are around 50 such requests per one second). Usually the WebApp in Firefox is then missing some random things (icons etc.) or if a .js is missing it is spinning ‘loading’ forever. Pressing reload (sometimes multiple times) leads to success, WebApp is finally working.

    So my question: Are there some asset prefixes in the URL scheme that can safely be excluded from being handled by mod_auth_kerb? Or the other way round: what is the minimal amount of URLs that definitely MUST be protected by mod_auth_kerb?

    Thanks in advance for any ideas.