Kerberos & signle-sign-on for website
Posted
by
Dylan Klomparens
on Server Fault
See other posts from Server Fault
or by Dylan Klomparens
Published on 2013-10-18T21:52:18Z
Indexed on
2013/10/18
21:57 UTC
Read the original article
Hit count: 616
I have a website running on a Linux computer using Apache. I've employed mod_auth_kerb for single-sign-on Kerberos authentication against a Windows Active Directory server.
In order for Kerberos to work correctly, I've created a service account in Active Directory called dummy
.
I've generated a keytab for the Linux web server using ktpass.exe on the Windows AD server using this command:
ktpass /out C:\krb5.keytab /princ HTTP/[email protected] /mapuser [email protected] /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass xxxxxxxxx
I can successfully get a ticket from the Linux web server using this command:
kinit -k -t /path/to/keytab HTTP/[email protected]
... and view the ticket with klist
.
I have also configured my web server with these Kerberos properties:
<Directory />
AuthType Kerberos
AuthName "Example.com Kerberos domain"
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/[email protected]
Krb5KeyTab /path/to/keytab
Require valid-user
SSLRequireSSL
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
However, when I attempt to log in to the website (from another Desktop with username 'Jeff') my Kerberos credentials are not automatically accepted by the web server. It should grant me access immediately after that, but it does not. The only information I get from the mod_auth_kerb logs is:
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
However, more information is revealed when I change the mod_auth_kerb setting KrbMethodK5Passwd
to On
:
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1939): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1031): [client xxx.xxx.xxx.xxx] Using HTTP/[email protected] as server principal for password verification
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(735): [client xxx.xxx.xxx.xxx] Trying to get TGT for user [email protected]
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(645): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal HTTP/[email protected]
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1110): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 [email protected] authtype=Basic
What am I missing? I've studied a lot of online tutorials and cannot find a reason why the Kerberos credentials are not allowing access.
© Server Fault or respective owner