Ubuntu – Switch to Kerberos Authentication with Apache2 on Ubuntu (LDAP or AD)

apache-2.4kerberosUbuntu

I'm considering to switch my intranet apps to Kerberos authentication.(currently NTLM but modules required are not maintained anymore and will in not work anymore once the web server is updated to newest release (Ubuntu)).

I'm completely new to this plus I'm not directly in my corporations IT department. It's a huge corporation and dealing with IT is a PITA. So my question also revolves around the fact if I need IT do something for me to make this work.

I can see on my company laptop using klist I have 3 tickets:

krbtgt/MYCOMPANY.COM@MYCOMPANY.COM

ldap/ldap.mycompany.com@MYCOMPANY.COM

and last one is for my laptop (eg. server = my laptop)

I alos already have a generic ldap user for querying ldap for authorization.

My question is if I can configure my web server to reuse the existing ldap ticket for authentication? And if yes how I would do that?

Best Answer

You cannot share LDAP/... ticket to authenticate in httpd. Neither you can share keytab file, even within the same host, as it has to provide credentials for HTTP/... principal. There is an option in httpd's mod_auth_kerb (named KrbServiceName) to "rename" principal used, but I haven't tried and I doubt it can work, as the clients will try to use standard names.

There are many howtos on how to configure Apache httpd with AD + Kerberos-based single sign-on. Start from reading mod_auth_kerb manual. Things to remember include: reverse DNS entries matching forward DNS, time synchronization, default realm name in /etc/krb5.conf file, KVNO in ktpass command. In case of problems, try (temporarily!) set KrbVerifyKDC off and LogLevel debug in Apache config.

Related Solutions

Ubuntu – Apache Authentication against AD in Ubuntu 9.04

I have done this before (not with RT, though) using mod_ldap with apache. Make sure that module is being loaded, and then do something like this in your config:

<Directory /var/www/>
Order Allow,Deny
Allow From All
AuthName "Blah Blah Blah"
AuthType Basic
AuthLDAPBindDN "cn=USER,ou=Users,dc=example,dc=com"
AuthLDAPBindPassword "PASSWORD"
AuthLDAPURL "ldap://1.2.3.4:389/dc=example,dc=com?samAccountName?"
require valid-user
require group cn=FoobarGroup,ou=Groups,dc=example,dc=com
</Directory>

By default, AD doesn't allow anonymous LDAP binds, so you'll need to create a role account in AD for that. I typically create a user, and make sure it's only a member of the "Domain Guests" group. That will ensure that the user account has enough permissions to bind to LDAP, but no further permissions in the domain.

You can modify the AuthLDAPURL value to match only certain accounts and attributes.

I believe that mod_ldap comes with the default apache install in ubuntu, so all you should need to do to get it loade is:

a2enmod ldap
/etc/init.d/apache2 restart

Good luck!

Why the clients send the HTTP requests before getting Kerberos tickets from KDC

I see no challenge from the proxy for authentication in the trace you sent. The only Kerberos traffic I see is a TGT for Realm: LABRISTEST.COM issued to test1.

If the proxy were enforcing authentication, I would expect a trace with "StatusCode: 407, Proxy authentication required" returned by proxy. See http://technet.microsoft.com/en-us/library/bb984870.aspx for example of a likely trace where proxy requires auth.

I dont see any NTLM or Kerberos based auth to the proxy.

The client will only request tickets if it has to (i.e. proxy says auth required). Until then it does not know what tickets to request and tries anonymously. So you should see a ticket request after accessing proxy anonymously. And that too, only if there is no cached ticket locally at the client side. Its also possible that despite no ticket locally cached, you see no request because of a negative cache (cached the fact that previous request for ticket failed).

I also note you are not using IE (UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0) for testing this. I suggest you use IE for testing unless you are certain firefox is configured to respond to auth requests correctly.

Update (16th Jan): You should always flush DNS cache (ipconfig /flushdns) and kerberos cache before collecting traces. This allows seen KDC detection related DNS traffic and kerberos ticket requests success/failure.

Its also important to know how you configure the proxy settings in the browser as this has some say in the tickets requested. The proxy port appears to be 3128 and the name is labris-1. So, you will likely need to register http/labris-1:3128 and http/labris-1.labristest.com:3128 SPN on the AD object used by the proxy service. You also need to add the reg key from http://support.microsoft.com/default.aspx?scid=kb;EN-US;908209 for all IE greater than V6. Make sure the keytab is updated and accessible on the squid server.

Best Answer

Related Solutions

Ubuntu – Apache Authentication against AD in Ubuntu 9.04

Why the clients send the HTTP requests before getting Kerberos tickets from KDC

Related Topic