Active Directory Kerberos authentication for Apache web server

This is the short version of this blog post. The original post contains more information on the subject, including very detailed step-by-step configuration instructions and some background information on Kerberos protocol and a few gotchas and notes you may find useful.


Overview of configuration steps

There are many Internet resources describing the configuration process for Apache + mod_auth_kerb + AD — just google for “Apache mod_auth_kerb AD” and you get tons of step-by-step instructions and guides. But in the end, I had to gather pieces of information from many different source, because there was not one guide which explained all Kerberos machinery, options and required configuration actions in sufficient details in one place. The most useful and comprehensive resources that I was able to find are listed in the end of this document.

The tested configuration process looks like that:

  1. Prepare and write down the crucial configuration parameters which you will use in the next steps:
  • Apache web site FQDN (more details on this below)
  • Active Directory account to be used as the service account (service identity) for this web site and its password
  • FQDNs of at least two AD domain controllers that you are going to use as the KDCs for the Linux box
  • The DNS name of you AD domain

2. Prepare Linux box:

  • Install krb5-user package — binaries required to configure the Linux server as a “service” per Kerberos protocol terminology
  • Install Apache 2
  • Install mod_auth_kerb Apache module

3. Run Windows tool ktpass on AD domain controller to generate and output to the console two secret keys (for AES256 and RC4 encryption methods, respectively) associated with the service account specially created in the AD to be used as the identity of the web server. At this step I deviate from most of the instructions and manuals published in the Internet, because I discard the keytab file generated by ktpass and just take the values for the secret key and key serial number (vno) that I copy from the console output of this command and use them to create required entries in the keytab file manually on the Linux box. The reason why I make it so complicated is because I found no way to generate the keytab file directly using the ktpass tool for AES cipher as either the secret key was wrong because of the salt or the key was valid but the SPN was wrong.

4. Run Windows tool setspn on AD domain controller to configure proper SPN attribute (Kerberos Service Principal Name) in the properties of the service account AD object.

5. Create a DNS record for the public FQDN of the web server (the one entered in the browser address bar). If you have a single web site on your web server then the simplest option is to make sure that the public URL of your site is the same as the FQDN of the server configured in the /etc/hosts configuration file, and create an A DNS record for this FQDN pointing directly to the server’s IP address. However, if you want to host two or more web sites on the save web server with different host headers, then the situation becomes complicated and you will have to properly configure DNS CNAME records and keytab file. One option in this case is to use the same service account identity for all web sites hosted on the web server, configure keytab file for the server’s own FQDN configured in the /etc/hosts file and create CNAME DNS aliases for your web sited pointing to the server’s FQDN. The browsers will perform DNS name canonization and will request Kerberos service tickets not for the CNAME addresses of the web sites, but for the server’s own FQDN. Please refer to the original blog post for more information on this scenario.

6. On the Linux box, use ktutil tool (part of the krb5-user package) to create a new empty keytab file and then use its addent subcommand to add two entries for AES256 and RC4 encryption schemes using the secret keys output to the console by ktpass tool at step 3.

7. Configure host-wide Kerberos parameters for the krb5-user package by editing configuration file /etc/krb5.conf

8. Configure mod_auth_kerb Apache module parameters by editing the Apache web site configuration file (i.e., /ect/apache2/sites-enabled/000-default.conf) and adding Kerberos specific entries under the VirtualHost section.

9. Optionally enable the fall-back mechanism available in the mod_auth_kerb which allows clients which do not support Kerberos to use Basic HTTP authentication scheme instead (SECURITY WARNING! Do not enable this option unless you also enable AND force SSL/TLS for your web site.)

10. Make sure that the browsers on Windows client computers are configured to start Kerberos authentication with your web site automatically (check Internet Explorer “Local intranet” zone settings).

References

  1. Mod_auth_kerb official page
  2. The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
  3. How-to — Single sign on with Active directory and Apache
  4. How the Kerberos Version 5 Authentication Protocol Works
  5. Kerberos Keytabs — Explained
  6. All you need to know about Keytab files
  7. Encryption Type Selection in Kerberos Exchanges
  8. ktutil — problems generating AES keys (salt?)
  9. Apache sends wrong server principal name to Kerberos
  10. Kerberos configuration known issues
  11. The Chromium Projects — HTTP authentication
  12. Why you can still have duplicate SPNs in AD 2012 R2 and AD 2016

Originally published at imatviyenko.github.io on September 11, 2018.

Like what you read? Give Ivan Matviyenko a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.