Skip navigation



Stanford WebAuth

CAUTION: the contents of this page have not been updated since 2014 and may contain inaccurate information about Stanford’s authentication and authorization systems. For information about the future direction of Stanford Authentication, start at


WebAuth is an authentication system for web pages and web applications. The first time a user attempts to access a web page protected by WebAuth, they will be sent to a central login server ( at Stanford) and prompted to authenticate. Normally, they will be asked for a username and password, although other authentication methods are possible. Once the user has logged in, the weblogin server will send their encrypted identity back to the original web page they were trying to access. Their identity will also be stored in a cookie set by the weblogin server and they will not need to authenticate again until their credentials expire, even if they visit multiple protected web sites.

WebAuth works with any browser that supports cookies, requires no agents or other software installed on the client web browser systems, and works with an existing Kerberos v5 authentication realm. It can also be used as the SSO provider for a Shibboleth IdP and supports SPNEGO authentication as well as username/password over TLS/SSL. See the page on WebAuth features for more major features and a brief comparison with other web authentication systems.

If you are a Stanford WebAuth user and are having trouble logging in to WebAuth or just want more information about what's going on, please see the Stanford WebAuth help page. If you are looking for instructions on protecting web pages hosted on the servers, see the Stanford WebAuth guides. To install WebAuth on your own web server, read on.



WebAuth 4.7.0 has been released. This release is primarily around improving the user information service calls, allowing for more than one method to be sent along to be handled. It also adds additional failed login error codes used by recent MIT and Heimdal.

See the release announcement for more information.


WebAuth 4.6.1 has been released. This is primarily a bug-fix release, with one Stanford-specific fix for mod_webauth, a build system fix, and various minor bug fixes for the WebLogin and WebKDC components. It also adds FAST support for the WebKDC.

See the release announcement for more information.


WebAuth 4.6.0 has been released. This is a bug-fix and new feature release for mod_webauth and the WebLogin and WebKDC components. The primary new features are support for path-scoped cookies, and a remctl-based password change protocol. The primary bug fixes are WebAuthOptional support for Apache 2.4, better keyring handling with the ITK MPM, and locking and preserving of permissions of keyrings across writes.

Be aware that, when upgrading to this release, you will need to change the ownership of the mod_webauth keyring to match the User and Group settings in your Apache configuration.

See the release announcement for more information.


WebAuth 4.5.5 has been released. This is a bug-fix release for the WebLogin and WebKDC components.

See the release announcement for more information.


WebAuth 4.5.4 has been released. This is a bug-fix release for the WebLogin and WebKDC components.

See the release announcement for more information.

For older news, see the separate WebAuth news page.

Obtaining and Installing

WebAuth is provided under a free software license to anyone in the world who wants to use it. We provide support for the WebAuth software to Stanford affiliates, and also maintain the WebAuth infrastructure (the central login server and credential server) for the domain.

Here are instructions for obtaining and installing WebAuth. Please note that since the primary purpose of the WebAuth project is to provide web authentication for Stanford University, there are Stanford-specific instructions scattered through the documentation. All such instructions are clearly marked as such.

WebAuth Documentation

Installing WebAuth:

Reference manuals:

The WebAuth protocol, which includes a more detailed explanation of how authentication works and how information is passed between a web server and the central WebKDC and weblogin servers:

WebKDC information (only of interest to people who are setting up a complete WebAuth infrastructure at another site):


New WebAuth releases are announced via the low-volume webauth-announce mailing list. To subscribe, unsubscribe, or read the archives, go to the webauth-announce list information page.

There is also a separate mailing list for general discussion and requests for help, which is also read by members of the WebAuth project team. To subscribe, unsubscribe, or read the archives, go to the webauth-info list information page.

Stanford users may instead read and post to the newsgroup su.computers.webauth, which is bidirectionally gatewayed to webauth-info. The newsgroup also gets all messages sent to webauth-announce.

Finally, if you are a Stanford affiliate and need help with WebAuth, you can submit a HelpSU request using the link at the bottom of this page. Due to limited resources, we cannot offer support to any non-Stanford users, so non-Stanford users should instead subscribe to the mailing list and ask questions there.


The WebAuth v3 protocol and core implementation was written by Roland Schemers, based on design documents by the entire Stanford WebAuth team (with considerable work by Tim Torgenrud and Booker Bense) and based in part on the functionality of WebAuth v2.5, written and maintained by a cast of dozens over the years but most notably Jeff Lewis, Anton Ushakov, and Jeanmarie Lucker.

The mod_webauthldap module was written by Anton Ushakov.

The configuration and build system and WebAuth packaging was put together by Russ Allbery. Huaqing Zheng provided builds of supporting packages and Jonathan Pilat helped greatly with testing. Xueshan Feng oversaw the project.

The WebAuth package is currently maintained by Russ Allbery. Jon Robertson does much of the maintenance work on the WebLogin code and implemented password change and multifactor support.

RPMs are built by Darren Patterson based on earlier work by Joe Little. Many of the Solaris packages were built by Quanah Gibson-Mount.

Thanks to pod for improvements, particularly to the WebKDC, to make it easier to package for a Linux distribution, for the initial Debian package build rules, and for generic WebKDC templates suitable for a new installation and for use as examples.

Thanks to Dmitri Priimak for work on cross-realm support, WebLogin improvements, and testing of unusual Kerberos realms and principal names.

To contact any of the members of the WebAuth team, please use the contact information above rather than writing to us individually. This will help us help you more efficiently. Thank you!

Last modified Friday, 12-Dec-2014 02:33:07 PM

Stanford University Home Page