Single Sign-On in Apache against Kerberos

2011-02-18

In this article I describe how to connect an Apache web server to Active Directory to use Single Sign-On with Kerberos. Before we start configuring the web server, we will do a few things on the Windows server running Active Directory. The first step is to add the web server, in this case a Debian machine, as an object under Active Directory for it to be authenticated. Since the web server is running on Debian, we need to create a keytab on the server running Active Directory. A keytab is an encrypted, locally stored copy of the web server password in Active Directory. In my case, I used Windows Server 2003, where the tool to create keytabs wasn’t installed by default. You can in this case install Support Tools for Windows Server 2003 to gain access to this program. A keytab can be created with the following command at the command prompt:

ktpass.exe -princ HTTP/<www.hanswestman.se>@<HANSWESTMAN.SE>
-mapuser <AD web server object>
-crypto rc4-hmac-nt
-ptype KRB5_NT_SRV_HST
-pass <good_password> -out c:\<filename>.keytab

Now we are finished with Active Directory. I assume you have already installed the Apache web server on your Debian machine. Move the keytab file from the Windows server to the web server and place it in a good folder, for example the Apache folder in /etc/apache2/. Then you can install the Kerberos module, mod-auth-kerb, for Apache. In Debian, use apt to download the package libapache2-mod-auth-kerb.

Now we will configure Apache to use the module to authenticate visitors to a specific folder. The following configuration is added to Apache:

<Location /test>
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms HANSWESTMAN.SE
    Krb5KeyTab /path/to/file.keytab
    require valid-user
</Location>

If everything works, all new visitors to the folder will have to authenticate themselves using their credentials from Active Directory. Users already authenticated against Active Directory should get direct access to the folder on the web server without having to enter their credentials again.