0

I'm currently trying to set up Apache as an authentication portal. It's supposed to act as a reverse proxy with krb authentication.

My apache server is named portal.example.com (debian container) My IPA server is named freeipa.example.com (centos container)

Here's my current Apache configuration on portal.example.com:

< Location />
   AuthType Kerberos
   AuthName "Login on test domain"    
   KrbAuthRealm TEST.COM
   Krb5Keytab /etc/apache2/portal.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   KrbServiceName HTTP/portal.example.com@TEST.COM
   require valid-user
< /Location>

I can't get it working as I want: I don't want it to ask users to enter their password, so I configured firefox in order to let it negotiate the authentication but I always get a 401/Unauthorized. However, if I set KrbMethodK5Passwd to on, and then login with my krb username and password, then I get a 200 http response. Any idea about how to do it without asking for credentials? :(

Jenny D
  • 27,358
  • 21
  • 74
  • 110
Amina
  • 103
  • 2

1 Answers1

0

Check if /etc/apache2/portal.keytab is owned by the webserver user (www-data on debian systems) and only readable by this user (-r--------).

Check if you configured your browser for both the domain test.com and subdomains 

about:config
network negotiate-auth.trusted-urls  test.com, .test.com
felix
  • 11
  • 2
  • I checked everything about the keytab file and it seemed to be okay. But great news: finally got it working! My Apache krb5.conf was actually missing two lines. Thanks anyway for your suggestion! – Amina Jul 01 '16 at 11:06