Scenario

Example Domain:  contoso.lan
Web Server: web.contoso.lan
Active Directory Server: ad.contoso.lan
DNS Server: ad.contoso.lan

Introduction

Right, so I wanted to do single sign-on on an Apache Linux server running in our otherwise Windowized environment. Most of what Google told me was to use Apache’s NTLM-module. What they forgot to mention was that NTLMv1 (which this, currently unmaintained module uses) is deprecated in Windows Vista and later due to security issues. Many of the sources suggested to go for the simple route of lowering the security in Windows(!) by re-enabling NTLMv1, but.. that didn’t really feel “right”.

The “right” way seemed to be to use Kerberos instead, and this post outlines the steps required. I tried to assemble only the absolutely required stuff, and not include full-blown Samba implementations and such. Which is nice, no doubt, but if I don’t have any other use for it, why the extra bloat?

This post is written with the following prerequisites in mind:
• The webserver is running Apache on Ubuntu
• The webserver will authenticate against a Windows 2008 R2 Active Directory
• The client (browser) is IE9 on Windows 7
This scenario absolutely works. If your environment differs, you are on your own.

I am also assuming that you have a proper DNS and NTP setup, both in the AD and on your Linux host. Name resolution and time synchronization is » IMPORTANT « for Kerberos to function, but also outside the scope of this document.

1. NTP synchronization

In order for Kerberos tickets to operate correctly the system time on each host must be within allowed tolerances. To achieve this our web server must update its system time to match the AD server. This can be done by adding the line below to the NTP config file, which in our distribution can be found at /etc/ntp.conf.

server ad.contoso.lan

In addition to this we add a daily update to the crontab making sure the synchronization takes place on a regular basis. This can be achieved by creating the file /etc/cron.daily/ntpdate containing the following line.

ntpdate ad.contoso.lan

2. Install Apache module

$ sudo apt-get install libapache2-mod-auth-kerb krb5-user

(krb5-user is not absolutely required for operation, but if you want to test your Kerberos setup, as follows, it is necessary)

3. Test Kerberos

$ kinit [email protected]

Replace “username” with your AD-credentials. Note that WINDOWSDOMAIN has to be written in CAPITALS for this to work. The test will return zero response – you just get the prompt back.

$ klist

will now list your fresh Kerberos ticket. Assuming all is well so far, let’s move on.

4. Active Directory account

Create a new user account in your Active Directory. This will be a “service account” that Kerberos on the Linux host will use. Name it something convenient, like “kerberos_hostname” and set a nifty password. In this case I used: kerberos
Ensure you enable “password never expires”.

5. Web server authentication user and keytab generation

In order for the web server to authenticate user accounts it must itself have an associated active directory user account. In this example we have named the user “Kerberos”.  The Kerberos user must be manually associated with a keytab file that will allow the web server to authenticate requests in the background.  To create the keytab enter the following statement in a command prompt:

ktpass -princ HTTP/[email protected] -mapuser [email protected] -pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos.keytab

Is better to include also the specific name used for call the website (ServerName option used in to the VirtualHost directive). Example www.site.com.

With the following commands we can concatenate both:

mv C:\Temp\kerberos.keytab C:\Temp\kerberos-orig.keytabktpass -in C:\Temp\kerberos-orig.keytab -princ HTTP/[email protected] -mapuser [email protected] -pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos-concatenate.keytab

Once the keytab file has been generated it must be transferred to the web server and given the correct ownership and permissions. In our example we are storing the keytab file at /etc/kerberos.keytab. To set the correct ownership and permissions use the commands below.

chown root:www-data /etc/kerberos*.keytab
chmod 0640 /etc/kerberos*.keytab

NOTE: The Linux distribution in our example runs apache processes under the www-data user. In other distributions this may differ.

6. Install and configure Kerberos

Once Kerberos is installed we need to modify the configuration to include the settings outlined below.  In our example the distributions config file can be found at /etc/krb5.conf.

[libdefaults]
        default_realm = CONTOSO.LAN

[realms]
        CONTOSO.LAN = {
                kdc = ad.contoso.lan
                admin_server = ad.contoso.lan
        }

[domain_realm]
        .contoso.lan = CONTOSO.LAN
        contoso.lan = CONTOSO.LAN

NOTE: uppercase must be used when referring to the root domain. DNS entries for individual hosts do not require this.

7. Configure the web server to require authentication

The final step in the setup process is to tell the web server that authenticated users are required and to define the authentication method. This can be done by adding the following code to the virtualhost file of your site.

<Location />
AuthType Kerberos

AuthName “SSO Intranet”
KrbAuthRealms CONTOSO.LAN
KrbServiceName HTTP
Krb5Keytab /etc/kerberos.keytab #or /etc/kerberos-concatenate.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
require valid-user
</Location>

Restart apache. The web server should now be authenticating users based on their active directory credentials ([email protected])