This is a tricky part which depends heavily on your environment. For this reason, only a general description is provided here and note that the actual setup can differ in a particular environment.
- The web server will authenticate against the Windows Active Directory (AD).
- The Kerberos-client module is installed and configured on Ubuntu GNU/Linux.
For more information on the 'Kerberos on Linux' configuration, please see the following websites:
https://access.redhat.com
http://tldp.org
It is also expected that you have a proper DNS and NTP setup, both in the Active Directory (AD) and on your Linux host. The name resolution and time synchronization is important for Kerberos to work properly. The related technical description is beyond the scope of Valuemation Help - please refer to the corresponding Kerberos sources (see above).
- Install the Apache module.
In the Linux Terminal, type:
$ sudo apt-get install libapache2-mod-auth-kerb krb5-user
Note: The 'krb5-user' is not absolutely required for the operation but if you want to test your Kerberos setup as described below, it is necessary.
- Test Kerberos.
In the Linux Terminal, type:
$ kinit username@WINDOWSDOMAIN
- Replace the 'username' and 'WINDOWSDOMAIN with your AD-credentials. Note that WINDOWSDOMAIN has to be written capitals to work correctly!
- The test will return zero response which means that you just get the prompt back.
- Now if you type:
$ klist
Your fresh Kerberos ticket will be listed.
- Create a new user account in your Active Directory.
This will be a "service account" which Kerberos on the Linux host will use.
- Name it in an appropriate way (e.g. 'kerberos_hostname') and set a password.
- Make sure the 'password never expires' option has been enabled.
- Set up the DNS server.
While you are in your Windows environment, make sure you have a proper DNS-entry in the AD for your web server (stick to one A-record with a corresponding PTR-record).
- Create the 'keytab' file.
On your Domain Controller, issue the following statement from the command prompt:
C:>ktpass -princ HTTP/<fqdn-hostname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:Tempkerberos_hostname.keytab
Note: In the example above, you can see that the 'RC4-HMAC-NT' algorithm has been used. But it is possible to use multiple other encryption algorithms for the 'keytab' file generation such as des-cbc-md5, des3-cbc-sha1, rc4-hmac, aes256-cts-hmac-sha1-96 etc. Depending on the domain server, it is necessary to always use the correct encryption algorithm.
- Now you have got a 'keytab' file.
Go ahead and transfer it to your webserver. Store it in a suitable location.
- Set up the 'keytab' file.
In the Linux Terminal, type:
$ sudo chown www-data /etc/kerberos_hostname.keytab
$ sudo chmod 0640 /etc/kerberos_hostname.keytab
Note: Its ownership must be such that it is readable by the Apache process.
- Configure the Apache in the following way:
<Directory "/path/you/want/to/protect/">
AuthType Kerberos
AuthName "Some-Nifty-Name"
KrbAuthRealms WINDOWSDOMAIN
KrbServiceName HTTP
Krb5Keytab /path/to/keytab-file
require valid-user
</Directory>
Note: See also the following 'Kerberos Module for Apache' configuration documentation.
- Restart the Apache to complete the setup.