Using Kerberos authentication in apache httpd

If you have a Kerberos or Active Directory installation you might want to use Kerberos for apache httpd authentication and single sign on. This howto assumes you have either a running kerberos server or use winbindd active directory integration as described in TipsAndTricks/WinbindADS.

This howto is for CentOS 5 only. CentOS 4 need slightly different options in the httpd-config.

Keytab

In order to use kerberos authentication in apache httpd you need a service principal entry in the keytab file on the machine running apache httpd. All descriptions here use the global keytab file in /etc/krb5.keytab. For security reasons you might want to use one keytab file per service, so service A cannot read the keytab information of service B. The default service name used for principal by the apache httpd kerberos module is HTTP.

vanilla kerberos

To add a service principal using kadmin start kadmin on the machine running apache httpd and use the command

ktadd HTTP/$HOST@$REALM

Where $HOST is the FQDN of the machine and $REAL is your kerberos realm. If you intend to use a different service name replace HTTP also.

winbindd

If you use winbindd use the following commands to create the keytab and add the service principal to your keytab:

net ads keytab create
net ads keytab add HTTP

Afterwards you can check your keytab by issuing the command

klist -k

It should list at least 2 lines with the principals for host/$HOST@$REALM and HTTP/$HOST@$REALM.

Configuring apache httpd

Additionally to the krb5-workstation package you will need the package mod_auth_kerb. Once it is installed you can configure authentication in an appropriate apache http stanza (<Directory> or <Location>). The configuration looks like this:

    <Location />
        AuthName "Restricted Access"
        AuthType Kerberos
        Krb5Keytab  /etc/krb5.keytab
        KrbAuthRealms $REALM
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        require valid-user
    </Location> 

Obviously you have to replace $REALM by your kerberos realm. The KrbMethodK5Passwd has to be set to On for password failback if accessed from a non kerberos-system.

Single Sign On

Internet Explorer

Internet explorer will automatically try kerberos logon if the kerberos realm is you Active Directory Domain.

Firefox

In firefox enter about:config in the addressbar and edit the entry network.negotiate-auth.trusted-uris as value enter the hostname of the apache httpd server or .domain.tld to allow kerberos for all servers in the domain.

Debugging

In case things are not working check that you have a valid kerberos ticket on the client using klist. Turn on debug logs on the apache httpd server by setting the LogLevel to debug, output can be found in the apache httpd error logfiles.

HowTos/HttpKerberosAuth (last edited 2009-09-21 07:22:52 by TimothyLee)