Apache Kerberos Authentication
Contents
Purpose
To allow users to authenticate using seamless SSO via kerberos.[1]
MultiRealm Authentication
In this case I want to authenticate more than one realm (two domains). After following the common instructions online I was unable to log in using the second realm. The first realm logged in without issue.
NOTE 1 : This is a messy post as I have worked on this for several days and am trying to record what I did before I forget.
NOTE 2 : I am not sure if all of this is necessary, but I wanted to track everything I did regardless
Environment
- Domains
Domain1.tld
Domain2.tld
- web server
intranet.tld
Keytab Creation
On domain1.tld, create a user object that will be used for the service. Then create the keytab and map it to the user.
NOTE : This is case sensitive.
ktpass /out C:\Temp\domain1.keytab /princ HTTP/website@DOMAIN1.TLD /mapuser user /pass <password> /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 1
On domain2.tld
ktpass /out C:\Temp\domain2.keytab /princ HTTP/website@DOMAIN2.TLD /mapuser user /pass <password> /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 1
krb5.conf
The server I am using was enrolled in domain1 using sssd and the "realm join" command many a year ago. We will be editing the krb5.conf file that was created during this process.
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} default_realm = DOMAIN1.TLD [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } DOMAIN1.TLD = { kdc = domain1.tld admin_server = domain1.tld } DOIMAIN2.TLD = { kdc = domain2.tld admin_server = domain2.tld } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM domain1.tld = DOMAIN1.TLD .domain1.tld = DOMAIN1.TLD domain2.tld = DOMAIN2.TLD .domain2.tld = DOMAIN2.TLD [capaths] DOMAIN1.TLD = { DOMAIN2.TLD = . } DOMAIN2.TLD = { DOMAIN1.TLD = . }
VHOST Config
Here I tried using the principle from the keytab, but for some reason the kvno kept getting logged as 3 instead of 6. So for now I told Apache to use any service name. Need to research security risks related to this. Also I might need to keep it at ANY if I can not specify more than one principal.
<IF "'%{REMOTE_ADDR}' != '<trusted IP here>' && '%{REQUEST_URI}' != '/wp-admin'"> AuthType Kerberos AuthName "Kerberos authenticated site" KrbAuthRealms DOMAIN1.TLD DOMAIN2.TLD #KrbServiceName HTTP/user@DOMAIN1.TLD KrbServiceName Any Krb5KeyTab /etc/httpd/merged.keytab KrbMethodNegotiate On KrbMethodK5Passwd Off require valid-user </IF>