Problems set-up Single Sign-On using Kerberos authentication

Posted by user1124133 on Server Fault See other posts from Server Fault or by user1124133
Published on 2013-02-13T19:43:23Z Indexed on 2014/06/07 21:27 UTC
Read the original article Hit count: 269

I need for Ruby on Rail application set authentication via Active Directory using Kerberos authentication.

Some technical information:

  1. I are using Apache
  2. installed mod_auth_kerb
  3. In httpd.conf I added LoadModule auth_kerb_module modules/mod_auth_kerb.so
  4. In /etc/krb5.conf I added following configuration

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    
    [libdefaults]
     default_realm = EU.ORG.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     forwardable = yes
    
    [realms]
     EU.ORG.COM = {
      kdc = eudc05.eu.org.com:88
      admin_server = eudc05.eu.org.com:749
      default_domain = eu.org.com
     }
    
    [domain_realm]
     .eu.org.com = EU.ORG.COM
     eu.org.com = EU.ORG.COM
    
    [appdefaults]
     pam = {
       debug = true
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    
  5. When I test kinit validuser and enter password then authentication is successful.

  6. klist returns:

    Ticket cache: FILE:/tmp/krb5cc_600
    Default principal: [email protected]
    
    Valid starting     Expires            Service principal
    02/08/13 13:46:40  02/08/13 23:46:47  krbtgt/[email protected]
    
            renew until 02/09/13 13:46:40
    
    Kerberos 4 ticket cache: /tmp/tkt600
    klist: You have no tickets cached
    
  7. In application Apache configuration I added

    IfModule mod_auth_kerb.c>
    Location /winlogin>
        AuthType Kerberos
        AuthName "Kerberos Loginsss"
        KrbMethodNegotiate off
        KrbAuthoritative on
        KrbVerifyKDC off
        KrbAuthRealms EU.ORG.COM
        Krb5Keytab /home/crmdata/httpd/apache.keytab
        KrbSaveCredentials off
        Require valid-user
      </Location>
    </IfModule>
    
  8. I restarted apache

Now some tests:

  1. When I try to access application from Win7, I got pop-up message box, with text:

    Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentification without a secure connection)
    
  2. When I enter valid credentials then my application opens successfully, and all works fine.

Questions:

  1. Is ok that for user pop-ups such windows? If I use NTLM authentication then there no such pop-up. I checked IE Internet Options and there 'Enable Integrated Windows Authentication' is checked.

  2. Why IE try to send username and password to application apache? If I correct to understand then Windows self must make authentication via Active Directory using Kerberos protocol.

  3. When I try to access application from Win7 and I enter incorrect credentials to pop-up message box

    • Application say Authentication failed (this is OK)
    • In apache error log I see:

      [error] [client 192.168.56.1] krb5_get_init_creds_password() failed: Client not found in Kerberos database 
      
    • But now I cannot get possibility to enter valid credentials, only when I restart IE I can get again pop-up box.

What could be incorrect or missing in my Kerberos setup?

I read in some blog post that probably something is needed to be done in Active Directory side. What exactly?

© Server Fault or respective owner

Related posts about apache-2.2

Related posts about ruby-on-rails