Monday, 29 August 2016

Kerberos-Based Apache SSO with Active Directory

Apache SSO with Active Directory

In this tutorial we will be setting up Active directory - Kerberos based sso with Apache.


1. Active directory Server - Windows server 2008 R2
2. Apache server - Cent OS 7
3. mod_auth_kerb module in apache

Active Directory details

Domain Name :
Domain Controller name:
IP address  :

Cent OS server details

Hostname :
IP address:
DNS address:

Lets begin by installing apache with mod_auth_kerb module

#yum install httpd mod_auth_kerb krb5-workstation

Now lets configure and verify kerberos

#vim /etc/krb5.conf

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac

  kdc =
  admin_server =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM


Now lets verify with the following command

For every kerberized host you have to create a service principal on the KDC. Lets create a service principle in the Command prompt on the windows server.

Before we create a service principal, we need to create a user account with any name which will be used for creating the service ticket. Le the name of the user be ""

Use the below command to create the service principal

C:\>ktpass -princ HTTP/ -mapuser krb5@EXAMPLE.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass long$longp2ass3word -out c:\temp\krb5.keytab

The ktpass command creates the pricipal HTTP/, maps it to AD account "krb5" and exports it's key to the keytabfile c:\temp\krb5.keytab. Copy that file to Centos server(apache server).

Check if the KDC sends correct tickets (kvno) by getting a serviceticket and using klist:

#kvno HTTP/
#klist -e

check this values against keytab krb5.keytab

#klist -e -k -t krb5.keytab

#kinit -k -t krb5.keytab HTTP/

If this doesn't work then there is a problem with the Kerberos config.

Now lets create a test site with Apache and configure kerberos authentication

Copy the keytab file to /etc/httpd and change the ownership of the file to apache:apache

<VirtualHost *:80>


DocumentRoot /var/www/html/

<Directory "/var/www/html/">
AuthType  Kerberos
KrbServiceName HTTP
Krb5Keytab /etc/httpd/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user


Now lets enable Windows integrate authentication in Internet Explorer using the below link

Now lets configure Firefox for sso

1. In the address bar of Firefox, type about:config to display the list of current configuration options.
2. In the Filter field, type negotiate to restrict the list of options.
3. Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
4. Enter the name of the domain against which you want to authenticate, for example,
5. Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.

Use the following link to enable Windows Integrated Authentication with chrome

High Availability with IREDMAIL Integrated with Active Directory

This is step by step guide for Centos 7. Server1 will be the Active node and Server2 will be the failover node. After failover when ...