Kerberos & signle-sign-on for website
- by Dylan Klomparens
I have a website running on a Linux computer using Apache. I've employed mod_auth_kerb for single-sign-on Kerberos authentication against a Windows Active Directory server.
In order for Kerberos to work correctly, I've created a service account in Active Directory called dummy.
I've generated a keytab for the Linux web server using ktpass.exe on the Windows AD server using this command:
ktpass /out C:\krb5.keytab /princ HTTP/example.com@REALM.EXAMPLE.COM /mapuser dummy@REALM.EXAMPLE.COM /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass xxxxxxxxx
I can successfully get a ticket from the Linux web server using this command:
kinit -k -t /path/to/keytab HTTP/example.com@REALM.EXAMPLE.COM
... and view the ticket with klist.
I have also configured my web server with these Kerberos properties:
<Directory />
AuthType Kerberos
AuthName "Example.com Kerberos domain"
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/example.com@REALM.EXAMPLE.COM
Krb5KeyTab /path/to/keytab
Require valid-user
SSLRequireSSL
<Files wsgi.py>
Order deny,allow
Allow from all
</Files>
</Directory>
However, when I attempt to log in to the website (from another Desktop with username 'Jeff') my Kerberos credentials are not automatically accepted by the web server. It should grant me access immediately after that, but it does not. The only information I get from the mod_auth_kerb logs is:
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
However, more information is revealed when I change the mod_auth_kerb setting KrbMethodK5Passwd to On:
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1939): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1031): [client xxx.xxx.xxx.xxx] Using HTTP/example.com@REALM.EXAMPLE.COM as server principal for password verification
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(735): [client xxx.xxx.xxx.xxx] Trying to get TGT for user jeff@REALM.EXAMPLE.COM
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(645): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal HTTP/example.com@REALM.EXAMPLE.COM
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1110): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 user=jeff@REALM.EXAMPLE.COM authtype=Basic
What am I missing? I've studied a lot of online tutorials and cannot find a reason why the Kerberos credentials are not allowing access.