Apache - Replace Apache::AuthenNTLM with Kerberos (mod_auth_kerb)

Question

Within an intranet system on Solaris we currently use perls Apache2::AuthenNTLM module to authenticate with a Win 2k3 doman server, so we can access the user ID of the person browsing the site.

Moving to Win 2012 AD servers, we're told this won't support NTLM, which Microsoft don't recomend these days anyway. Is mod-auth-kerb a suitable replacmenet for this soft of use case?

I've searched google and can't find a relavent article or tutorial showing mod-auth-kerb being used in such a way. I'm having difficulty in getting started and could use a point in the right direction.

Thanks

Yes, you should be able to use mod-auth-kerb to provide Keberos based SSO on apache with Active Directory 2012. Where do the installation instructions on the project site fall short? — HBruijn, Aug 29 '14 at 11:29
@HBruijn with the perl module it has a clear example of the configuration, with mod-auth-kerb the docs (to me) don't explain the integration and configuration well enough for me. Thanks — Dr.Avalanche, Aug 29 '14 at 11:33

score 3 · Answer 1 · answered Aug 29 '14 at 12:19

You'll need to have your Active Directory administrator create a service account that holds the Kerberos Service Principles for your intranet server. The SPN or SPN's should look like <service>/<hostname> and contain all the host names and/or DNS aliases users use to access your intranet website, so something like:

http/solarishost.int.example.com
http/solarishost
http/intranet.example.com

Your Active Directory administrator can extract the SPN's to a keytab file which you need to copy to your Solaris host and configure in Apache. Note: the http/hostname SPN is also used for HTTPS.

On Solaris you'll need the MIT Kerberos 5 tools and libraries, download and install the Apache module and then configure it.

Typically you'll edit the global Kerberos configuration file /etc/krb5/krb5.conf to set up the the defaults mod-auth-kerb will also use, important are generally only the names of the REALM, typically the Windows AD domain, your DNS domain and the KDC servers - normally the domain controllers your AD administrator tells you to use.

The Apache configuration looks something like this:

<Location /intranet>
 AuthType           Kerberos
 AuthName           "intranet"
 KrbMethodNegotiate on
 KrbAuthoritative   on
 KrbVerifyKDC       on
 KrbAuthRealm       YOUR_ACTIVEDIRECTORY_DOMAIN
 Krb5Keytab         /etc/httpd/intranet.keytab
 KrbSaveCredentials off
 Require            valid-user
</Location>

Some understanding of Kerberos and Microsoft AD helps, as it can be tricky to debug for uninitiated. Oh and with Kerberos make sure your clocks are synchronized.

This looks ldeal, a much clearer explanation. Thank you so much. I will work with this today — Dr.Avalanche, Aug 29 '14 at 12:54

Apache - Replace Apache::AuthenNTLM with Kerberos (mod_auth_kerb)

1 Answers1