Stock Foreman 1.3 can be configured to use SPNEGO/GSSAPI/Negotiate authentication. However, when it is configured via naive wholesale <Location />, for example in /etc/httpd/conf.d/auth_kerb.conf

  <Location />
  AuthType Kerberos
  AuthName "Kerberos Login" 
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/http.keytab
  KrbLocalUserMapping On
  require valid-user
  </Location>

the solution has certain problems (also described at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb/1):

Some of the locations in Foreman might need the authentication disabled and the proposed <Location /> will cover them all. They need to be identified and exceptions added to Apache configuration. For SPNEGO, this configuration will force the negotiation to happen for every access to the WebUI -- first with 401 result, then second request with negotiation result with result 200, slowing the operation significantly down. Plus, users have to already exist in Foreman database or the authentication will fail -- that however defeats the purpose of using external authentication mechanism.

The goal of this issue is to make the REMOTE_USER authentication more usable by external Apache mod_auth_* modules, specifically with mod_auth_kerb in mind. The authentication should happen on single dedicated location (say /users/extlogin) and after the authentication, the standard Foreman session should be used. If the user does not exist in Foreman database, minimal user record to make the account usable should be created.