I need for Ruby on Rail application set authentication via Active Directory using Kerberos authentication.
Some technical information:
- I are using Apache
- installed mod_auth_kerb
- In httpd.conf I added LoadModule auth_kerb_module modules/mod_auth_kerb.so
-
In /etc/krb5.conf I added following configuration
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EU.ORG.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EU.ORG.COM = { kdc = eudc05.eu.org.com:88 admin_server = eudc05.eu.org.com:749 default_domain = eu.org.com } [domain_realm] .eu.org.com = EU.ORG.COM eu.org.com = EU.ORG.COM [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
-
When I test kinit validuser and enter password then authentication is successful.
-
klist returns:
Ticket cache: FILE:/tmp/krb5cc_600 Default principal: validuser@EU.ORG.COM Valid starting Expires Service principal 02/08/13 13:46:40 02/08/13 23:46:47 krbtgt/EU.ORG.COM@EU.ORG.COM renew until 02/09/13 13:46:40 Kerberos 4 ticket cache: /tmp/tkt600 klist: You have no tickets cached
-
In application Apache configuration I added
IfModule mod_auth_kerb.c> Location /winlogin> AuthType Kerberos AuthName "Kerberos Loginsss" KrbMethodNegotiate off KrbAuthoritative on KrbVerifyKDC off KrbAuthRealms EU.ORG.COM Krb5Keytab /home/crmdata/httpd/apache.keytab KrbSaveCredentials off Require valid-user </Location> </IfModule>
-
I restarted apache
Now some tests:
-
When I try to access application from Win7, I got pop-up message box, with text:
Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentification without a secure connection)
-
When I enter valid credentials then my application opens successfully, and all works fine.
Questions:
-
Is ok that for user pop-ups such windows? If I use NTLM authentication then there no such pop-up.
I checked IE Internet Options and there 'Enable Integrated Windows Authentication' is checked. -
Why IE try to send username and password to application apache? If I correct to understand then Windows self must make authentication via Active Directory using Kerberos protocol.
-
When I try to access application from Win7 and I enter incorrect credentials to pop-up message box
- Application say Authentication failed (this is OK)
-
In apache error log I see:
[error] [client 192.168.56.1] krb5_get_init_creds_password() failed: Client not found in Kerberos database
-
But now I cannot get possibility to enter valid credentials, only when I restart IE I can get again pop-up box.
What could be incorrect or missing in my Kerberos setup?
I read in some blog post that probably something is needed to be done in Active Directory side. What exactly?
Best Answer
You need
KrbMethodNegotiate on
.Without that the http client is essentially doing auth-basic to apache and apache is testing the password against the kdc.
Also, for security's sake you should really set
KrbVerifyKDC on
.