Apache poor performance with Kerberos Authentication

apache-2.2kerberosperformance

I have an apache instance that uses kerberos for SSO with an internal application that we have running. However the performance is very very poor.

I believe from a tcp dump that when a user hits some of our dojo forms on the application that apache is making calls to our KDC to ensure that the user has permissions to those files.

As the dojo library is quite hefty, this is taking a long time to run and seriously impacting the performance of dojo based forms to load.

We are using mod_auth_kerb and currently our httpd.conf file looks like this.

<Directory "/opt/myapp/public">
    AllowOverride All
    Order allow,deny
    Allow from all
    AuthType Kerberos
    AuthName KerberosLogin
    KrbServiceName HTTP/taz.uk.mydomain.com@MYDOMAIN.COM
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms MYDOMAIN.COM
    Krb5KeyTab /etc/krb5.keytab
    require valid-user
</Directory>

Is there a command that I can put into the httpd.conf file or a .htaccess file that I put into the javascript directory that holds the dojo library, to tell apache not to authenticate the access to the directory?

I believe that this will improve the site performance 100 fold. (Yes it really is that bad)

Thanks

Best Answer

This is a stab in the dark, but have you checked that DNS is working ok on the web server? If it can't resolve all of the things it needs to on the first try, it'll time out and go to the second server listed in resolv.conf which may account for the success after first taking forever.

Related Solutions

Linking Linux MIT Kerberos with a Windows 2003 Active Directory

You can set up multiple realms in you /etc/krb5.conf file on Linux. See the realms section of the MIT Kerberos docs. You could configure your Windows realm there and users that log in with a principal that's part of that realm will be authenticated against your Windows 2003 Active Directory.

Then you just have to set up Apache with mod_auth_kerb and make sure to set the KrbAuthRealms configuration variable to include all the realms you'd like to be able to authenticate via Apache.

Unless I am missing something, this configuration is not that complicated and pretty standard practice when using multi-realm Kerberos configs.

Single Sign On for intranet with Apache and Linux MIT Kerberos

I found it!

I followed the instructions on https://help.ubuntu.com/community/SingleSignOn (See: "Application Installation") to configure the Apache webserver.

Here is my httpd.conf [IMAGE]:

ServerName www.eindwerk.lan

< Directory /var/www/ > Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

  AuthType Kerberos
KrbMethodNegotiate on

KrbMethodK5Passwd on
  AuthName "Kerberos Login"
  KrbAuthRealm EINDWERK.LAN
  Krb5Keytab /etc/apache2/auth/apache2.keytab
  require valid-user
< /Directory >

Then, I configured Mozilla Firefox to trust my internal site (www.eindwerk.lan) [IMAGE]:

network.negotiate-auth.delegation-uris : eindwerk.lan

network.negotiate-auth.trusted-uris: eindwerk.lan
Do a kinit in a terminal. [IMAGE]
Browse to the internal site: You are now automatically logged in!

How does this work?
- Mozilla Firefox does a regular HTTP/GET request.
- Apache replies with HTTP/401 Authorization Required.
- Mozilla Firefox replies with the Kerberos token we just got with kinit. [IMAGE OF WIRESHARK CAPTURE]
- Kerberos authentication occurs, and Apache replies with HTTP/200 OK.
Do a klist in a terminal. You should see the ticket for the webserver! [IMAGE]
Do a kdestroy in a terminal. [IMAGE]
Hard refresh (CTRL+F5) the internal site. You are now presented with a login prompt! [IMAGE]

Related Topic