Show Advanced KnowledgeHide Advanced Knowledge

To finalize the login configuration, log in to your ILIAS service with an administrator account.
To be prepared for login failure, it is a good idea to keep this session open and valid until the login process works fully, so you will be able to correct any errors. Working with two different browsers or client machines can be very helpful here.
 
On the Apache login tab, activate Apache authentication, but not the creation of user accounts. Activate the local user mapping.
The Configuration for the indicator field and value for Kerberos negotiation uses:

• "AUTH_TYPE" as field and "Negotiate" as value
• Use "REMOTE_USER"  for the direct assignment of users (you have to activate this!)

The redirection domains box must contain all the names that may be used to call your ILIAS.
 
Dont forget to save the settings.

Change to the Authentication tab.
Set the default login method to Apache, save  and set Apache to be the first in the ordering of methods. Then save the login-ordering.
This works with ILIAS in the standard version (tested with 4.3, 4.4 and 5.0 beta).

Now you can test logins using a second browser or client machine.
If kerberos negotiation works, clients should have direct access to their desktop when accessing ilias via http://ilias.verbund.local/intern from domain member systems. Non-Kerberos clients should be presented the standard ILIAS login page. If called by the site name normal login procedures work.
Users who use different login methods (local ILIAS database, RADIUS etc) still can login as usual. To make sure the standard login method for your users is not apache, don't let apache create user accounts by itself. Users then must login by an other method and are capable to login from the ILIAS login page. Combination with LDAP logins fails currently.
 
 
On the client side, it is neccessary to configure browsers to use the kerberos negotiate mechanism:

• For Firefox, enter "about:config" in the address bar, add your site to "network.negotiate-auth.trusted-uris"
• For IE, add your site to the "local intranet" zone.
• For Chrome, use the appropriate command line option (untested)

Troubleshooting hint: If the negotiation method doesn't work, check if your ilias DNS name resolution is done by a CNAME record. Kerberos negotiation with Microsoft Active Directory ® requires the server name to be resolved by an A record! Workarounds for this are mentioned in the Site settings subchapter.
 
LDAP communication and Apache as non-default login method can be achieved with some patches to ILIAS, the current state and patch information can be found in mantis report #13356. (I use these in my productive environment since May 2014)