First of all the
mod_auth_kerb is needed to add kerberos capabilities to Apache. Besides this a working configuration of kerberos 5 is needed on the server running Apache.
Prepare Active Directoy
- To enable authentication against Active Directory a dedicated user is needed for each Apache server. The password doesn’t really matter, but the username should use a certain convention and maybe a explaining description. Such a account could be
- For the newly created account a keytab is needed to use the account from Apache. To create such a keytab the
ktpass.exeis needed. The command on a Server running Windows 2003 looks like this:
ktpass.exe -princ HTTP/linuxserver@ACME.COM -mapuser http-linuxserver -crypto DES-CBC-MD5 +DesOnly -pass myverygoodpass -ptype KRB5_NT_PRINCIPAL -out linuxxserver.keytab
For domain-controllers running Windows 2000 the command might be slightly different.
After installing the
mod_auth_kerb a couple configuration settings need to be made.
- First the previously created keytab file needs to be copied to the server (prefferedly using scp or simillar).
- Change to owner of the keytab-file to the user running Apache (depending on your distribution that could be
www-dataor something else).
- To secure a directory or using kerberos the following entries need to be added to the appropriate configuration section of apache:
AuthType Kerberos AuthName "Kerberos Login" KrbServiceName HTTP KrbMethodK5Passwd On KrbAuthRealms ACME.COM Krb5KeyTab /etc/httpd/conf/linuxserver.keytab require valid-user
- Restart Apache to apply the changes.
If you now access the secured website using Internet Explorer that supports Integrated Windows Authentication, you can see the content without being prompted for a password as long as you have valid windows-credentials.