Kerberos & signle-sign-on for website
- by Dylan Klomparens
I have a website running on a Linux computer using Apache. I've employed mod_auth_kerb for single-sign-on Kerberos authentication against a Windows Active Directory server.
In order for Kerberos to work correctly, I've created a service account in Active Directory called dummy.
I've generated a keytab for the Linux web server using ktpass.exe on the Windows AD server using this command:
ktpass /out C:\krb5.keytab /princ HTTP/[email protected].COM /mapuser [email protected].COM /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass xxxxxxxxx
I can successfully get a ticket from the Linux web server using this command:
kinit -k -t /path/to/keytab HTTP/[email protected].COM
... and view the ticket with klist.
I have also configured my web server with these Kerberos properties:
<Directory />
    AuthType                Kerberos
    AuthName                "Example.com Kerberos domain"
    KrbMethodK5Passwd       Off
    KrbAuthRealms           EXAMPLE.COM
    KrbServiceName          HTTP/[email protected].COM
    Krb5KeyTab              /path/to/keytab
    Require                 valid-user
    SSLRequireSSL
    <Files wsgi.py>
            Order deny,allow
            Allow from all
    </Files>
</Directory>
However, when I attempt to log in to the website (from another Desktop with username 'Jeff') my Kerberos credentials are not automatically accepted by the web server. It should grant me access immediately after that, but it does not. The only information I get from the mod_auth_kerb logs is:
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
However, more information is revealed when I change the mod_auth_kerb setting KrbMethodK5Passwd to On:
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1939): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1031): [client xxx.xxx.xxx.xxx] Using HTTP/[email protected].COM as server principal for password verification
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(735): [client xxx.xxx.xxx.xxx] Trying to get TGT for user [email protected].COM
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(645): [client xxx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal HTTP/[email protected].COM
[Fri Oct 18 17:26:44 2013] [debug] src/mod_auth_kerb.c(1110): [client xxx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=0 [email protected].COM authtype=Basic
What am I missing? I've studied a lot of online tutorials and cannot find a reason why the Kerberos credentials are not allowing access.