HTTP SSO with Apache and Kerberos

The process of setting up HTTP SSO with Kerberos can be broken down to the below steps:


1.Generating a ‘keytab’ file for the Apache Host using the ktpass.exe tool.

  • The ktpass command should be run with a Domain admin

  • The password for the “-pass” argument needs to correspond to Win 2012 standards.


A example command would be:


ktpass -princ HTTP/uriahl.com@URIAHL.COM -mapuser apache -crypto All -DesOnly -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out apache.keytab


uriahl.com – fqdn of the Apache server

URIAHL.COM – The Kerberos REALM for which this keytab is generated for

apache – the Active Directory user to map the keytab to

Apache.keytab – the keytab filename


2.Configuring the HTTPD VirtualHost to use the auth_kerb_module and it’s corresponding directives. HTTPD doesn’t usually come pre-installed with this module;

you can go ahead and install it with:


Debian-based installations:


apt-get install libapache2-mod-auth-kerb


Centos/RHEL:


yum install mod_auth_kerb


The installation will prompt you for several configuration options. Enter your Kerberos Realm name, the KDC host (“Kerberos servers for your realm” – the hostname of the machine that hosts your KDC), and the administrative servers hostname (You may use the same value of the previous field, depending on your setup).

 

*A Kerberos Realm is by convention your AD domain, with capital letters. For example, if my AD domain is domain.uriahl.com, my realm should be named DOMAIN.URIAHL.COM


At this point be sure to copy over your keytab file generated in step #1 to the apache machine, and secure it so that only the OS user who’s running apache has access to it.


An example for a full SSL-equipped Apache VirtualHost config that proxies Artifactory and uses Kerberos authentication with the “/artifactory” location can look like this (the “Krb5KeyTab” directive points to the location of the keytab file):


Listen 443


<VirtualHost *:443>

 ServerAdmin uriahl@uriahl.com

 ServerName apache.server.com

 

 SSLEngine on

 SSLCertificateFile /etc/ssl/certs/cert.crt

 SSLCertificateKeyFile /etc/ssl/certs/cert.key

 SSLProxyEngine on


 ErrorLog “/private/var/log/apache2/uriahl.com-error_log”

 CustomLog “/private/var/log/apache2/uriahl.com-access_log” common

 

 <Location /artifactory>

  AuthType Kerberos

  AuthName “Kerberos Login”

 KrbMethodNegotiate On

 KrbMethodK5Passwd On

 KrbAuthRealms DOMAIN.URIAHL.COM 

 KrbLocalUserMapping On

 Krb5KeyTab /usr/local/apache2/keytab/apache.keytab

 require valid-user

 RewriteEngine On

 RewriteCond %{REMOTE_USER} (.+)

 RewriteRule . – [E=RU:%1]

 RequestHeader set REMOTE_USER %{RU}e

 </Location>


 RewriteEngine on


 RewriteCond %{SERVER_PORT} (.*)

 RewriteRule (.*) – [E=my_server_port:%1]

 ##  NOTE: The ‘REQUEST_SCHEME’ Header is supported only from apache version  2.4 and above

 RewriteCond %{REQUEST_SCHEME} (.*)

 RewriteRule (.*) – [E=my_scheme:%1]


 RewriteCond %{HTTP_HOST} (.*)

 RewriteRule (.*) – [E=my_custom_host:%1]

 RewriteRule ^/$  /artifactory/webapp/ [R,L]

 RewriteRule ^/artifactory(/)?$  /artifactory/webapp/ [R,L]

 RewriteRule ^/artifactory/webapp$  /artifactory/webapp/ [R,L]


 RequestHeader set Host %{my_custom_host}e

 RequestHeader set X-Forwarded-Port %{my_server_port}e

 ## NOTE: {my_scheme} requires a module which is supported only from apache version 2.4 and above

 RequestHeader set X-Forwarded-Proto %{my_scheme}e

 RequestHeader set X-Artifactory-Override-Base-Url %{my_scheme}e://artifactory_host:8081/artifactory

#  RequestHeader set REMOTE_USER %{REMOTE_USER}e

 ProxyPassReverseCookiePath /artifactory /artifactory


 ProxyRequests off

 ProxyPreserveHost on

 ProxyPass /artifactory/ http://artifactory_host:8081/artifactory/

 ProxyPassReverse /artifactory/ http://artifactory_host:8081/artifactory/


</VirtualHost>


*In this example I have a root httpd.conf file which loads the mod_auth_kerb module by specifying:


LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so


*In addition to the mod_auth_kerb module, the below modules are required for the above configuration to work:

mod_headers

mod_proxy

mod_ssl

mod_rewrite

mod_prox_http


3. Configuring Artifactory to accept HTTP SSO authentication based on the REMOTE_USER header.


That’s it!


Appendix with useful links:




Debugging common failures:


Error #1


[Mon Jun 27 13:54:42.271303 2016] [auth_kerb:error] [pid 2301:tid 140157256722176] [client 192.168.99.1:54417] krb5_get_init_creds_password() failed: KDC has no support for encryption type


It might mean that Active Directory is not configured to support the encryption algorithm you used when generating the keytab file. On our example, we used the “-All” value which means that the generated keytab will support all algorithms, but you may want to tweak this to use just the strongest encryption types. You can refer to this link which has step-by-step instructions on enabling the various encryption types supported by your AD domain. Also see this link.


Error #2


[Mon Jun 27 12:25:10.517382 2016] [auth_kerb:error] [pid 1375:tid 140157248329472] [client 192.168.99.1:52174] failed to verify krb5 credentials: Server not found in Kerberos database


Apache error log shows “Server not found in Kerberos database”:

http://serverfault.com/questions/547110/kerberos-signle-sign-on-for-website