Iis – Single Sign-on for Intranet WordPress using OpenID (or OAuth), IIS, Integrated Windows Authentication, Active Directory

I found it!

I followed the instructions on https://help.ubuntu.com/community/SingleSignOn (See: "Application Installation") to configure the Apache webserver.

Here is my httpd.conf [IMAGE]:

ServerName www.eindwerk.lan

< Directory /var/www/ > Options Indexes FollowSymLinks MultiViews

   AllowOverride None
   Order allow,deny
   allow from all

  AuthType Kerberos

KrbMethodNegotiate on

KrbMethodK5Passwd on

  AuthName "Kerberos Login"
  KrbAuthRealm EINDWERK.LAN
  Krb5Keytab /etc/apache2/auth/apache2.keytab
  require valid-user

< /Directory >

1. Then, I configured Mozilla Firefox to trust my internal site (www.eindwerk.lan) [IMAGE]:

   network.negotiate-auth.delegation-uris : eindwerk.lan

   network.negotiate-auth.trusted-uris: eindwerk.lan

2. Do a kinit in a terminal. [IMAGE]

3. Browse to the internal site: You are now automatically logged in!

   How does this work?

   • Mozilla Firefox does a regular HTTP/GET request.
   • Apache replies with HTTP/401 Authorization Required.
   • Mozilla Firefox replies with the Kerberos token we just got with kinit. [IMAGE OF WIRESHARK CAPTURE]
   • Kerberos authentication occurs, and Apache replies with HTTP/200 OK.

4. Do a klist in a terminal. You should see the ticket for the webserver! [IMAGE]

5. Do a kdestroy in a terminal. [IMAGE]

6. Hard refresh (CTRL+F5) the internal site. You are now presented with a login prompt! [IMAGE]

By default, integrated windows authentication is only used for the "local intranet" zone in Internet Explorer. Thus, if www.school.com isn't recognized by IE as being a part of the local intranet, integrated authentication won't work.