Kerberos auth with Apache/PHP

Robert Andresen Programming, Tutorials 5 Comments

We have a portal/intranet-webpage at my work, running with Apache, PHP and MySQL. In 2011, a colleague and me sat 16 hours (without a break) and configured kerberos authentication with the Linux webserver.

Now in 2015 we needed kerberos with a new webserver. We did write a doc back in 2011, but when you sit for 16 hours – the doc can be a little short of all the things we actually did. The configuration took about 8 hours this time, and now I’m updating the doc and blogging it here.

2019-03: The format on this article has been updated. Please make sure to check any code for wierd characters, before you blindly copy and paste 🙂

Why

When users log in on their Windows computers, they can access the Intranet-webpage without having to authenticate themselves one more time.

Prerequisite:

  • A working domain with basic knowledge of it.
  • A working Linux webserver with Apache and PHP

My setup:

  • CentOS 7 (With Apache 2 and PHP 5.4)
  • Domain controller on Windows server 2008 R2.

Before you start:

The commands and images are masked from all that are related to my work-infrastructure. Remember to change it matching your own network and domain. Contoso.com is the example domain and http://website.contoso.com is the website DNS. Use the images for illustration for what the output should look like.

$vi   is the editor used in this guide. Use the editor of your own choice. To edit a file in vi, enter a-key when you are in the file and start editing. When your done, press esc and just write :wq (write quit) to save (or :q to quit).

I wrote this guide as I configured kerberos – which means I didn’t necessary follow the steps below in the same order. I got some error messages that probably was because of the last kerberos configuration.

I recommend scrolling through this guide and the sources at the bottom BEFORE you start, to get a better view of what you are going to do. If your not at work, go get some beers, because this could take some time 🙂

As kerberos already was in use on other services in my case, I am not sure if any changes need to be made at the domain-structure.

1. Turn OFF SELinux and firewall

Do this under setup to prevent any interupt, and remember to set them back when you’re done!

2. Install mod_auth_kerb

You need the mod_auth_kerb module for apache, so apache can handle the kerberos tickets.

[code]$ systemctl restart httpd.service[/code]

3. Join the Linux server into the domain

Source: http://www.hexblot.com/blog/centos-7-active-directory-and-samba

Install required packages:

3.1 Sync time with the domain

This is not required, but the time have to match the domain controller in order to authenticate users.

3.2 Join the domain

List the domain-data for the server to check if it works. This looked fine to me the first time, but the computer object did not show in AD. So I had to leave ($realm leave…) the domain and join it one more time for some reason.

3.3 Samba config

The config should already be something like this. This is my config-file:

4. Computerobject in AD

Open AD and check that the computer object is created.

View the properties for the computer object and go to Delegation tab – make sure that «Trust this computer for delegation to any service (Kerberos only)» is checked.

kerberos_computerobject_delegation

5. Create a service user

Create a service user in the domain.

After the user is created and you run the ktpass in the next step – it would show a new tab named «Delegation» in the user-properties.

kerberos_mgmt_account

6. Generate keytab file

Keytab-file need be created in CMD on a server in the domain. The <USERNAME> should be the service user you created in last step.

Notice: The user will store a key version number. In my case, I created the keytab file on the same user as last time, meaning that the old kerberos setup stopped working.

Output:

kerberos_ktpass

Open the service-user properties. Go to the Delegation tab and make sure the «Trust this user for delegation to any service (Kerberos only) is checked.

kerberos_mgmt_account_delegation

7. Copy keytab file to the webserver

Use WinSCP, mount a NFS or something to copy the generated keytab file to /etc/httpd/conf on the webserver.

7.1 Change the user-rights and group on the keytab-file

8. Setspn

Open powershell on a domain controller and add set spn:

kerberos_setspn

In my case the domain webpage.contoso.com existed from before, so I got a duplicate message. I had to write «PS C:\Users\admin> setspn -D http/intranett.contoso.com <OLD SERVICE USER>» to delete it.

9. Edit /etc/krb5.conf

 

10. Create a auth folder on your webserver for testing

Than create a .htaccess file in the folder where you want to authenticate the user. You can also add these parameters at the virtual host config if you want.

Insert the following config

Remember to check if Apache loads .htaccess files. See 14.1.

11. Test the kerberos authentication

Create a test folder called auth in www-root.

Create a index.php in the folder:

Add the following code to the index.php file:

 

12. Test website

The page should look like this:

kerberos_chrome_auth_success

13. Turn ON SELinux and firewall

[code]$ systemctl start firewalld[/code]

14. Troubleshoot

14.1 Enable .htaccess to be read in Apache

If .htaccess isn’t loaded, you need to edit /etc/httpd/httpd.conf and set AllowOverride All.

14.2 Set apache LogLevel to debug

To get all possible messages for debugging, it can be useful to set apache LogLevel to debug. Edit the /etc/httpd/httpd.conf file.

14.3 Test keytab file and kerberos authentication

You can test the kerberos authentication from the terminal. First you need to install the kerberos-workstation tools.

Test the keytab-file

Test user login:

Check kerberos tickets:

Delete the kerberos ticket:

14.4 View the apache logs

A successfully kerberos-login should look like this in the log.
You may want to set apache LogLevel to debug (see 14.2).

A list of the error messages and description for each one can be viewed here: http://sammoffatt.com.au/…table_entry_not_found_while_getting_initial_credentials

Sources

Some of the sources refers to compiling the module for apache. I ONLY installed the mod_kerb_auth, and did not compile anything.

Update 2016-05-02: Found another howto guide to set up kerberos http://wiki.openiam.com/display/IAMSUITEV3/Kerberos+Authentication+When+Using+the+Reverse+Proxy