Kerberos authentication in Apache

First of all the mod_auth_kerb is needed to add kerberos capabilities to Apache. Besides this a working configuration of kerberos 5 is needed on the server running Apache.

Prepare Active Directoy

  1. To enable authentication against Active Directory a dedicated user is needed for each Apache server. The password doesn’t really matter, but the username should use a certain convention and maybe a explaining description. Such a account could be http-linuxserver.
  2. For the newly created account a keytab is needed to use the account from Apache. To create such a keytab the ktpass.exe is needed. The command on a Server running Windows 2003 looks like this:
             ktpass.exe -princ HTTP/linuxserver@ACME.COM
             -mapuser http-linuxserver
             -crypto DES-CBC-MD5 +DesOnly
             -pass myverygoodpass
             -ptype KRB5_NT_PRINCIPAL
             -out linuxxserver.keytab

    For domain-controllers running Windows 2000 the command might be slightly different.

Configuring Apache

After installing the mod_auth_kerb a couple configuration settings need to be made.

  1. First the previously created keytab file needs to be copied to the server (prefferedly using scp or simillar).
  2. Change to owner of the keytab-file to the user running Apache (depending on your distribution that could be apache, www-data or something else).
  3. To secure a directory or using kerberos the following entries need to be added to the appropriate configuration section of apache:
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbServiceName HTTP
        KrbMethodK5Passwd On
        KrbAuthRealms ACME.COM
        Krb5KeyTab /etc/httpd/conf/linuxserver.keytab
        require valid-user
  4. Restart Apache to apply the changes.

If you now access the secured website using Internet Explorer that supports Integrated Windows Authentication, you can see the content without being prompted for a password as long as you have valid windows-credentials.