Kerberos single sign-on with Active Directory
- Basic kerberos configuration on midgard server
- Creating keytab for single sign-on
- Configuring midgard vhost
- Browser support for single sign-on
- Troubleshooting and useful links
Kerberos authentication is a third party authentication mechanism supported by Midgard. It allows users to log in to Midgard using their LDAP or Active Directory accounts. In Kerberos authentication users may log in to Midgard in the normal way or using single sign-on method.
Basic kerberos configuration on midgard server
Install mod_auth_kerb.
Configure /etc/krb5.conf
[libdefaults]
default_realm = KERBEROS.REALM
[domain_realm]
apache.server.fqdn = KERBEROS.REALM
[realms]
KERBEROS.REALM = {
kdc = kdc.kerberos.realm
}
Test configuration
$ kinit username
$ klist
If you get ticket from the kerberos server, you should be fine to continue. Otherwise you might find the troubleshooting section, in the end of this document, useful.
Creating keytab for single sign-on
First you must create a user account on the kerberos domain controller server. The user account must not be disabled and the password must stay the same. Otherwise you might need to recreate the keytab. In this example the user account name is "apache_server" and has password "apache_password".
Windows Server 2003:
C:\Program Files\Support Tools>ktpass -princ HTTP/apache.server.fqdn@KERBEROS.REALM -mapuser apache_server -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass apache_password -out name.keytab
Windows Server 2000 (not tested):
C:\Program Files\Support Tools>ktpass -princ HTTP/apache.server.fqdn@KERBEROS.REALM -mapuser dummyuser -crypto DES-CBC-MD5 -pass password -out name.keytab
Install support tools to optain ktpass.exe. After creating the keytab you propably need to reset the password because of the new crypto type. You need to use the same password.
apache.server.fqdn = the site url you are going to use. The url must be resolvable by the kerberos and midgard server to the midgard server ip-address.
Place the keytab file on the midgard server and give apache user read rights to the file.
Test the keytab:
$ kinit -k -t /etc/name.keytab HTTP/apache.server.fqdn
$ klist
If you get ticket from the kerberos server, you should be fine to continue. Otherwise you might find the troubleshooting section, in the end of this document, useful.
Configuring midgard vhost
Below is a configuration for a kerberos SingleSignOn authentication which fallbacks to a kerberos password authentication.
Servername apache.server.fqdn
MidgardAuthType trusted
<Location "/">
AuthName "Kerberos Authentication"
AuthType Kerberos
KrbAuthRealms KERBEROS.REALM
Krb5Keytab /etc/name.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
Order Allow,Deny
# Allow cron scripts etc from local machine
Allow from localhost
Allow from apache.server.fqdn
# Require kerberos for others
Require valid-user
Satisfy any
</Location>
Browser support for single sign-on
Firefox:
Go to about:config edit network.negotiate-auth.trusted-uris and add http(s)://(site)
IE6:
Add the site to trusted sites. Make sure that "Enable Integrated Windows Authentication" is on
Troubleshooting and useful links
In midgard server the site url must be /etc/hosts as a first entry for the ip in question:
172.0.0.1 locahost.localdomain localhost
'ip-address' apache.server.fqdn apache
The midgard server must be in same time with the kerberos server. You can use ntp or ntpdate for this.
GSS failure "Key version number for principal in key table is incorrect"
If you reset the password after creating the keytab you will need to create a new one, even if kinit does not complain the Kerberos server will refuse to serve authentication requests for the "old" keytab.
Links: