General disclaimer: Most (if not all) of this content is probably available somewhere in Google’s databases already. I post this here only for my own personal (lack of) memory’s sake, in case I ever need to go through this again. I probably owe credits both here and there, but please settle with a global thanks to everyone who might recognize something in here.
Introduction
Right, so I wanted to do single sign-on on an Apache Linux server running in our otherwise Windowized environment. Most of what Google told me was to use Apache’s NTLM-module. What they forgot to mention was that NTLMv1 (which this, currently unmaintained module uses) is deprecated in Windows Vista and later due to security issues. Many of the sources suggested to go for the simple route of lowering the security in Windows(!) by re-enabling NTLMv1, but.. that didn’t really feel “right”.
The “right” way seemed to be to use Kerberos instead, and this post outlines the steps required. I tried to assemble only the absolutely required stuff, and not include full-blown Samba implementations and such. Which is nice, no doubt, but if I don’t have any other use for it, why the extra bloat?
This post is written with the following prerequisites in mind:
• The webserver is running Apache on Ubuntu
• The webserver will authenticate against a Windows 2008 R2 Active Directory
• The client (browser) is IE9 on Windows 7
This scenario absolutely works. If your environment differs, you are on your own.
I am also assuming that you have a proper DNS and NTP setup, both in the AD and on your Linux host. Name resolution and time synchronization is » IMPORTANT « for Kerberos to function, but also outside the scope of this document.
Install Apache module
$ sudo apt-get install libapache2-mod-auth-kerb krb5-user
(okay, so maybe krb5-user is not absolutely required for operation, but if you want to test your Kerberos setup, as follows, it is necessary)
Test Kerberos
$ kinit username@WINDOWSDOMAIN
Replace “username” and “WINDOWSDOMAIN” with your AD-credentials. Note that WINDOWSDOMAIN has to be written in CAPITALS for this to work. Silly.
Oh, and the test will return zero response – you just get the prompt back. Whopee.
However,
$ klist
will now list your fresh Kerberos ticket. Assuming all is well so far, let’s move on.
Active Directory account
Create a new user account in your Active Directory. This will be a “service account” that Kerberos on the Linux host will use. Name it something convenient, like “kerberos_hostname” and set a nifty password.
Ensure you enable “password never expires”.
Set up DNS
While you are in your Windows environment, ensure you have a proper DNS-entry in the AD for your webserver. To make life easy on you, stick to one A-record with a corresponding PTR-record. CNAMEs are do-able with an extra tweak though, just keep on reading.
On a side-note, it may be wise to avoid CNAMEs pointing to other CNAMEs though, as Microsoft apparently does not traverse CNAMEs beyond one level. Please note that this is really hearsay only – I have neither tested nor confirmed this.
Create keytab-file
On your Domain Controller, issue the following from a command prompt:
C:>ktpass -princ HTTP/<fqdn-hostname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:Tempkerberos_hostname.keytab
As mentioned earlier, if you also want a CNAME to work, you need to repeat the above command, while also giving the recently created keytab-file as input. This will concatenate the two keytab-files (one for the A-record, one for the CNAME) into one file. Like this:
C:>ktpass -in C:Tempkerberos_hostname.keytab -princ HTTP/<fqdn-cname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:Tempkerberos_concatenated_hostnames.keytab
Okay, you got yourself a “keytab”-file now, concatenated or not. Go ahead and transfer it to your webserver.
Store it somewhere convenient, shall we say in /etc?
Set up keytab-file
$ sudo chown root.www-data /etc/kerberos_hostname.keytab $ sudo chmod 0640 /etc/kerberos_hostname.keytab
The webserver process (run by www-data on Ubuntu) must be able to read this file.
Configure apache
<Directory "/path/you/want/to/protect/"> AuthType Kerberos AuthName "Some-Nifty-Name" KrbAuthRealms WINDOWSDOMAIN KrbServiceName HTTP Krb5Keytab /path/to/keytab-file require valid-user </Directory>
See Kerberos Module for Apache configuration for documentation on the configuration here.
Done, there you have it. Of course you will need to restart apache, and whatnot (hey, rebooting the server always makes things work…), but this really should work as-is. I’m sorry if it didn’t.