Apache SSO with Active Directory
In this tutorial we will be setting up Active directory - Kerberos based sso with Apache.
Requirements
1. Active directory Server - Windows server 2008 R22. Apache server - Cent OS 7
3. mod_auth_kerb module in apache
Active Directory details
Domain Name : example.comDomain Controller name: dc.example.com
IP address : 192.168.0.100
Cent OS server details
Hostname : server.example.comIP address: 192.168.0.101
DNS address: 192.168.0.100
Lets begin by installing apache with mod_auth_kerb module
#yum install httpd mod_auth_kerb krb5-workstation
Now lets configure and verify kerberos
#vim /etc/krb5.conf
------------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
EXAMPLE.COM = {
kdc = dc.example.com
admin_server = dc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
--------------------------------------------------------------------------
Now lets verify with the following command
For every kerberized host you have to create a service principal on the KDC. Lets create a service principle in the Command prompt on the windows server.
Before we create a service principal, we need to create a user account with any name which will be used for creating the service ticket. Le the name of the user be "krb5@example.com"
Use the below command to create the service principal
C:\>ktpass -princ HTTP/server.example.com@EXAMPLE.COM -mapuser krb5@EXAMPLE.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass long$longp2ass3word -out c:\temp\krb5.keytab
The ktpass command creates the pricipal HTTP/server.example.com@EXAMPLE.COM, maps it to AD account "krb5" and exports it's key to the keytabfile c:\temp\krb5.keytab. Copy that file to Centos server(apache server).
Check if the KDC sends correct tickets (kvno) by getting a serviceticket and using klist:
#kvno HTTP/server.example.com@EXAMPLE.COM
#klist -e
check this values against keytab krb5.keytab
#klist -e -k -t krb5.keytab
#kinit -k -t krb5.keytab HTTP/server.example.com
If this doesn't work then there is a problem with the Kerberos config.
Now lets create a test site with Apache and configure kerberos authentication
Copy the keytab file to /etc/httpd and change the ownership of the file to apache:apache
-------------------------------------------------
<VirtualHost *:80>
ServerName server.example.com
DocumentRoot /var/www/html/server.example.com
<Directory "/var/www/html/server.example.com">
AuthType Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP
Krb5Keytab /etc/httpd/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
</Directory>
</VirtualHost>
------------------------------------------------
Now lets enable Windows integrate authentication in Internet Explorer using the below link
https://docs.secureauth.com/display/KBA/Enable+Integrated+Windows+Authentication+(IWA)+in+Internet+Explorer
Now lets configure Firefox for sso
1. In the address bar of Firefox, type about:config to display the list of current configuration options.
2. In the Filter field, type negotiate to restrict the list of options.
3. Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
4. Enter the name of the domain against which you want to authenticate, for example, .example.com.
5. Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.
Use the following link to enable Windows Integrated Authentication with chrome
https://www.specopssoft.com/configuring-chrome-and-firefox-for-windows-integrated-authentication/
