Authenticating Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory

active-directoryapache-2.4gssapisasl

I'm looking for below configurations for GSSAPI authentication with Apache 2.4 for Active directory:

1. How to configure Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory? Is there any documentation OR POC example stating the required configuration to do in Apache HTTPServer 2.4.x for GSSAPI, So as to authenticate using GSSAPI mechanism with Microsoft Active directory?

2. Does mod_auth_gssapi provides Integrity & Confidentiality security services? If yes then what configuration is required to do in Apache HTTPServer?
Reference for Integrity & Confidentiality in GSSAPI.

As per my analysis, the Active directory supports GSSAPI SASL mechanism. But, Apache HTTPserver does not support GSSAPI as an out of box configuration. However, using mod_auth_gssapi it's possible for Apache HTTPServer to lookup for users & their credentials in Active directory and thereby authenticate using GSSAPI mechanism.

Currently, I'm having Basic authentication provider configured as below in Apache HTTPServer, which needs to be replaced with mod_auth_gssapi to implement gssapi authentication mechanism:

# Basic Authentication provider

<AuthnProviderAlias ldap MyEnterpriseLdap>
  AuthLDAPURL "ldap://machine1.abcd.com:389/CN=Users,DC=abcd,DC=com?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN "CN=rohit,CN=Users,DC=abcd,DC=com"
  AuthLDAPBindPassword "abc123"
  LDAPReferrals Off
</AuthnProviderAlias>

# Authenticated resources

<LocationMatch ^/+WebApp/+(;.*)?>
  AuthName "WebApp"
  AuthType Basic
  AuthBasicProvider MyEnterpriseLdap 
  Require valid-user
</LocationMatch>

Thanks.

Best Answer

I managed to make GSSAPI work using the following tutorial: http://www.jfcarter.net/~jimc/documents/bugfix/41-auth-kerb.html

What I did (I'm on Debian)

Join the domain

Install packages:

apt-get install --no-install-recommends winbind smbclient krb5-config krb5-user libldap-common

In /etc/krb5.conf:

[libdefaults]
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true

    ### My changes ###
    default_realm = MY-DOMAIN.FR
    default_keytab_name = FILE:/etc/krb5.keytab
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    # AD in 2008+? Using AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    ### end ###

[realms]
    MY-DOMAIN.FR = {
        kdc = ad1.my-domain.fr
        kdc = ad2.my-domain.fr
        master_kdc = ad1.my-domain.fr
        admin_server = ad1.my-domain.fr
        default_domain = my-domain.fr
        # Hack to remove the '@my-domain.fr' part of the user login, to only keep the prefix (facultative. Used to simplify my PHP auth mechanism)
        # Source: http://comp.protocols.kerberos.narkive.com/57JV8mmf/libapache2-mod-auth-kerb-and-cross-realm
        #       (Greg Hudson)
        auth_to_local = RULE:[1:$1@$0](.*@my-domain.fr)s/@my-domain.fr$//
        auth_to_local = DEFAULT
    }

[domain_realm]
    .my-domain.fr = MY-DOMAIN.FR
    my-domain.fr = MY-DOMAIN.FR

In /etc/samba/smb.conf:

[global]
    workgroup           = MY-DOMAIN
    realm               = MY-DOMAIN.FR
    security            = ADS
    encrypt passwords   = yes
    password server     = ad1.my-domain.fr
    kerberos method     = system keytab

(the rest of the file is unmodified)

Disable referrals for LDAP calls:

/bin/echo 'REFERRALS off' >> /etc/ldap/ldap.conf

Join the domain:

kinit administrateur
  # (use an admin AD account)

net ads join -U administrateur createcomputer=OU=Member\ servers,DC=my-domain,DC=fr
  # (specify where you want to store the object in your AD.
  # I translated the name in English, so 'Member Servers' is just an example

Keytab for http

Create a keytab in /etc/krb5.keytab:

net ads keytab add HTTP -U administrateur

Protect it: (in my case, www-data is the Unix user used for serving web pages)

chmod 640 /etc/krb5.keytab
chown root:www-data /etc/krb5.keytab

I added a script in the crontab to renew this keytab once a day. Not sure it is still needed, but on previous versions of Debian I had some bugs when the file was outdated. So I made a script in Expect calling net ads keytab add HTTP -U my-linux.ad-account for me. And it is still there :)

Configure Apache

Get GSSAPI for Apache:

apt-get install --no-install-recommends libapache2-mod-auth-gssapi

Activating session cookies (to avoid reauthenticate user on each page) - facultative

a2enmod session
a2enmod session_cookie

In your Apache site config (eg. /etc/apache2/sites-available/000-default.conf)

<VirtualHost *:443>
    SSLEngine on
    DocumentRoot /your/web/root

    <Directory /your/web/root>
        AuthType                GSSAPI
        AuthName                "My Domain"
        GssapiCredStore         keytab:/etc/krb5.keytab
        GssapiAcceptorName      HTTP
        GssapiBasicAuth         On
        GssapiNegotiateOnce     On
        GssapiSSLonly           On
        GssapiLocalName         On
        # Use a cookie to keep the session, avoid reauthenticate user on each page
        # (facultative)
        GssapiUseSessions       On
        GssapiDelegCcacheDir    /run/apache2/clientcaches
        <IfModule mod_session.c>
            Session on
        </IfModule>
        <IfModule mod_session_cookie.c>
            SessionCookieName gssapi_session path=/;httponly;secure;
        </IfModule>

        Require valid-user
    </Directory>

    ....
</VirtualHost>

Restart Apache and pray

service apache2 restart

I hope I didn't forget anything.

Footing notes: the web clients won't delegate their credentials (and the SSO will not work) if:

your webserver is not in TLS (SSLEngine on)
your webserver is not in the clients trusted sites ("Intranet Sites" of your Internet settings, for example)

Related Solutions

Authenticating OpenBSD against Active Directory

Preface

Authenticating against Active Directory with Kerberos is pretty simple on systems using PAM, but OpenBSD doesn't and makes it more difficult. From a tcpdump, it looks like the PAM systems are just doing pre-authentication while OpenBSD's bsd_auth system is using the whole Kerberos authentication process.

Anyway, this took me a while to figure out so hopefully some concise instructions will save you time.

A few quick notes before we begin:

Users must exist on the OpenBSD system before attempting to login. They are not autocreated.
If you want users autocreated, look into Samba/Winbind. I've had nothing but trouble (inexplicable crashes, serious log spamming, unreliable authentication) from it, so I only use it when I have to.
This was tested on OpenBSD 4.5 and Windows Server 2003. I'm pretty sure it'll work with Win2k, but YMMV.
This version of OpenBSD uses Heimdal 0.7.2. Everything here aside from the paths and login.conf stuff will probably work on other *nixes running the same Heimdal, but again, YMMV.

Instructions

These steps assume you are trying to authenticate myuser@myhost.fqdn against the domain EXAMPLE.COM. The domain controller is pdc.EXAMPLE.COM.

Create an Active Directory User account named myhost (that's not a typo, these instructions won't work with a Computer account). Disable password expiration and don't let the user change its own password. Set the password to whatever you like - it'll be changed soon.
It's probably a good idea to create the User account under a new OU, remove it from the Domain Users group and add it to a dedicated group. This is all a matter of taste and your security layout.
On pdc.EXAMPLE.COM, download and install Windows Server Support Tools (specifically, you'll need ktpass.exe)
On pdc.EXAMPLE.COM, run:

ktpass -out c:\temp\myhost.keytab -princ host/myhost.fqdn@EXAMPLE.COM -mapuser myhost -pType KRB5_NT_PRINCIPAL +rndpass

This updates the myhost user's password to something random (+rndpass), maps the Kerberos principal "host/myhost.fqdn@EXAMPLE.COM" to the user "myhost" in Active Directory, and then dumps the principal and private key info into the -out keytab file.
Securely copy c:\temp\myhost.keytab to myhost and delete the file from pdc.EXAMPLE.COM
On myhost, add the AD keytab to your main keytab:

ktutil copy /path/to/myhost.keytab /etc/kerberosV/krb5.keytab
Configure /etc/krb5.conf. Below is the bare minimum that you need. There's a lot of options available, take a look at the manpage for more details. This just sets the maximum acceptable clock skew to 5 minutes, makes EXAMPLE.COM the default realm, and tells Kerberos how to translate between DNS and Kerberos realms.

[libdefaults]
clockskew = 300
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
default_domain = EXAMPLE.COM
}

[domain_realm]
.EXAMPLE.COM = EXAMPLE.COM
Verify that you can get a ticket:

# kinit Administrator@EXAMPLE.COM
Administrator@EXAMPLE.COM's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator@EXAMPLE.COM

Issued Expires Principal
Jun 4 21:41:05 Jun 5 07:40:28 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Modify /etc/login.conf to use Kerberos authentication. Your exact login.conf configuration will vary depending on how you use your system, but to go from a vanilla install to using Kerberos, just edit and comment this line under the default login class:

:tc=auth-defaults:\

And add above it:

:auth=krb5-or-pwd:\

This checks Kerberos first unless the user is root. If Kerberos fails, it will use local passwords.
Add the users you'd like to authenticate on this host. Leave the passwords blank unless you want them to be able to use both Active Directory and local passwords (not recommended).

You can blank existing users' passwords "chpass <user>" and replacing the "Encrypted password:" value with an asterisk (*)
Test SSH and Sudo. Both should work flawlessly with your Active Directory credentials.

That's all there is to it.

Links

A couple useful sites:

Active Directory – How to Find Name of Active Directory Domain Controller

On any computer, that has DNS configured to use AD's DNS server do:

Start -> Run -> nslookup

set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME

Replace DOMAIN_NAME with the actual domain name e.g. example.com. Read more here.