This is a tricky part which depends heavily on your environment. For this reason, only a general description is provided here and note that the actual setup can differ in a particular environment.

More information is available at the following websites:

• Adopenstatic
• Microhowto
• Grolmsnet

Implementing Kerberos Active Directory-integration for Single Sign-On on Apache

Prerequisities

• The web server is running Apache on Ubuntu GNU/Linux.

• The web server will authenticate against the Windows Active Directory (AD).
• The Kerberos-client module is installed and configured on Ubuntu GNU/Linux.

  For more information on the 'Kerberos on Linux' configuration, please see the following websites:

  https://access.redhat.com

  http://tldp.org

It is also expected that you have a proper DNS and NTP setup, both in the Active Directory (AD) and on your Linux host. The name resolution and time synchronization is important for Kerberos to work properly. The related technical description is beyond the scope of Valuemation Help - please refer to the corresponding Kerberos sources (see above).

Important: The domain server and the server which the Apache is running on must be time-synchronized otherwise the Kerberos authentication fails!

Configuration steps

1. Install the Apache module.

   In the Linux Terminal, type:

   $ sudo apt-get install libapache2-mod-auth-kerb krb5-user

   Note: The 'krb5-user' is not absolutely required for the operation but if you want to test your Kerberos setup as described below, it is necessary.

2. Test Kerberos.

   In the Linux Terminal, type:

   $ kinit username@WINDOWSDOMAIN

   • Replace the 'username' and 'WINDOWSDOMAIN with your AD-credentials. Note that WINDOWSDOMAIN has to be written capitals to work correctly!
   • The test will return zero response which means that you just get the prompt back.
3. Now if you type:

   $ klist

   Your fresh Kerberos ticket will be listed.

4. Create a new user account in your Active Directory.

   This will be a "service account" which Kerberos on the Linux host will use.

   • Name it in an appropriate way (e.g. 'kerberos_hostname') and set a password.
   • Make sure the 'password never expires' option has been enabled.
5. Set up the DNS server.

   While you are in your Windows environment, make sure you have a proper DNS-entry in the AD for your web server (stick to one A-record with a corresponding PTR-record).

6. Create the 'keytab' file.

   On your Domain Controller, issue the following statement from the command prompt:

   C:>ktpass -princ HTTP/<fqdn-hostname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:Tempkerberos_hostname.keytab

   Note: In the example above, you can see that the 'RC4-HMAC-NT' algorithm has been used. But it is possible to use multiple other encryption algorithms for the 'keytab' file generation such as des-cbc-md5, des3-cbc-sha1, rc4-hmac, aes256-cts-hmac-sha1-96 etc. Depending on the domain server, it is necessary to always use the correct encryption algorithm.

7. Now you have got a 'keytab' file.

   Go ahead and transfer it to your webserver. Store it in a suitable location.

8. Set up the 'keytab' file.

   In the Linux Terminal, type:

   $ sudo chown www-data /etc/kerberos_hostname.keytab

   $ sudo chmod 0640 /etc/kerberos_hostname.keytab

   Note: Its ownership must be such that it is readable by the Apache process.

9. Configure the Apache in the following way:

   <Directory "/path/you/want/to/protect/">

   AuthType Kerberos

   AuthName "Some-Nifty-Name"

   KrbAuthRealms WINDOWSDOMAIN

   KrbServiceName HTTP

   Krb5Keytab /path/to/keytab-file

   require valid-user

   </Directory>

   Note: See also the following 'Kerberos Module for Apache' configuration documentation.

10. Restart the Apache to complete the setup.