I need for Ruby on Rail application set authentication via Active Directory using Kerberos authentication.
Some technical information:
- I are using Apache
- installed mod_auth_kerb
- In httpd.conf I added LoadModule auth_kerb_module modules/mod_auth_kerb.so
-
In /etc/krb5.conf I added following configuration
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EU.ORG.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] EU.ORG.COM = { kdc = eudc05.eu.org.com:88 admin_server = eudc05.eu.org.com:749 default_domain = eu.org.com } [domain_realm] .eu.org.com = EU.ORG.COM eu.org.com = EU.ORG.COM [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } -
When I test kinit validuser and enter password then authentication is successful.
-
klist returns:
Ticket cache: FILE:/tmp/krb5cc_600 Default principal: validuser@EU.ORG.COM Valid starting Expires Service principal 02/08/13 13:46:40 02/08/13 23:46:47 krbtgt/EU.ORG.COM@EU.ORG.COM renew until 02/09/13 13:46:40 Kerberos 4 ticket cache: /tmp/tkt600 klist: You have no tickets cached -
In application Apache configuration I added
IfModule mod_auth_kerb.c> Location /winlogin> AuthType Kerberos AuthName "Kerberos Loginsss" KrbMethodNegotiate off KrbAuthoritative on KrbVerifyKDC off KrbAuthRealms EU.ORG.COM Krb5Keytab /home/crmdata/httpd/apache.keytab KrbSaveCredentials off Require valid-user </Location> </IfModule> -
I restarted apache
Now some tests:
-
When I try to access application from Win7, I got pop-up message box, with text:
Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentification without a secure connection) -
When I enter valid credentials then my application opens successfully, and all works fine.
Questions:
-
Is ok that for user pop-ups such windows? If I use NTLM authentication then there no such pop-up.
I checked IE Internet Options and there 'Enable Integrated Windows Authentication' is checked. -
Why IE try to send username and password to application apache? If I correct to understand then Windows self must make authentication via Active Directory using Kerberos protocol.
-
When I try to access application from Win7 and I enter incorrect credentials to pop-up message box
- Application say Authentication failed (this is OK)
-
In apache error log I see:
[error] [client 192.168.56.1] krb5_get_init_creds_password() failed: Client not found in Kerberos database -
But now I cannot get possibility to enter valid credentials, only when I restart IE I can get again pop-up box.
What could be incorrect or missing in my Kerberos setup?
I read in some blog post that probably something is needed to be done in Active Directory side. What exactly?
![[IMAGE]](http://img295.imageshack.us/img295/6272/screenshothttpdconfetca.png){kind=link}
![[IMAGE]](http://img208.imageshack.us/img208/623/screenshotaboutconfigmo.png){kind=link}
![[IMAGE]](http://img41.imageshack.us/img41/6048/screenshotbeerendubuntu.png){kind=link}
![[IMAGE OF WIRESHARK CAPTURE]](http://img130.imageshack.us/img130/78/screenshotlocapturingwi.png){kind=link}
![[IMAGE]](http://img188.imageshack.us/img188/6048/screenshotbeerendubuntu.png){kind=link}
![[IMAGE]](http://img513.imageshack.us/img513/6048/screenshotbeerendubuntu.png){kind=link}
![[IMAGE]](http://img80.imageshack.us/img80/4038/screenshotauthenticatio.png){kind=link}
Best Answer
You need
KrbMethodNegotiate on.Without that the http client is essentially doing auth-basic to apache and apache is testing the password against the kdc.
Also, for security's sake you should really set
KrbVerifyKDC on.