Mikko Kortelainen

Mikko Kortelainen

Apache HTTP authentication to Active Directory with Kerberos

Wed 18-06-2008 19:52 by Mikko Kortelainen tags: Active Directory Apache Kerberos Linux 3 minute read

First, create a user account for your Apache in the Active Directory. Let's assume the AD Kerberos realm is KOO.FI, and the user name we have created is "apache". Also create a computer account, let's call that "apachesrv".

Next, create two keytab files on the Windows server. One host keytab file and one service keytab file (long lines have been split):

C:>ktpass -princ HOST/www.koo.fi@KOO.FI -mapuser apachesrv@KOO.FI
-crypto DES-CBC-MD5 -DesOnly -pass XXXCHOOSEXAXSECRETXWORDXXX
-ptype KRB5_NT_SRV_HST -out krb5.keytab

C:>ktpass -princ HTTP/www.koo.fi@KOO.FI -mapuser apache@KOO.FI
-pass XXXSECRETXXX -out keytab.HTTP

Make sure that the principal name you are using (HTTP/your.server.com) has the actual domain name that is being requested from Apache by the web browser. If they differ, you will end up having error messages saying "failed to verify krb5 credentials: Server not found in Kerberos database" in you Apache error log.

You should now have binary files called krb5.keytab and keytab.HTTP in your current directory. Copy those files over to your Apache server into /etc.

Edit /etc/krb5.conf:

[libdefaults]
        default_realm = KOO.FI
        default_keytab_file = /etc/krb5.keytab
        dns_lookup_realm = true
        dns_lookup_kdc = true

[realms]
        KOO.FI = {
                kdc = dc1.koo.fi
                kdc = dc2.koo.fi
                admin_server = dc1.koo.fi
        }
[domain_realm]
        .koo.fi = KOO.FI
        koo.fi = KOO.FI

Test that your authentication works:

root@apachesrv:/etc# kinit HOST/www.koo.fi
Password for HOSTt/www.koo.fi@KOO.FI:

Enter the secret string you used earlier to create the machine account. If everything went correctly, you should be able to list the ticket:

root@apachesrv:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HOST/www.koo.fi@KOO.FI

Valid starting     Expires            Service principal
06/11/08 15:26:55  06/12/08 01:25:16  krbtgt/KOO.FI@KOO.FI
    renew until 06/12/08 15:26:55

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Lastly, let's configure Apache. My Apache server happened to be an Ubuntu box with Apache 2.2 installed. The Apache module mod_auth_kerb will take care of the authentication, so let's install that:

root@apachesrv:/etc# aptitude install libapache2-mod-auth-kerb

Add a directory directive in your Apache configuration file:

<Directory /var/www/www.koo.fi/protected>
  AuthType Kerberos
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbAuthoritative on
  KrbAuthRealms KOO.FI
  KrbVerifyKDC on
  KrbServiceName HTTP
  Krb5Keytab /etc/keytab.HTTP
  KrbSaveCredentials off
  AuthName "This url is protected. Keep your unauthorized hands off!"
  Require Valid-user
</Directory>

Reload the changes to Apache, and you're all set!

root@apachesrv:/etc# /etc/init.d/apache2 force-reload

Some links:

http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
http://modauthkerb.sourceforge.net/configure.html