Apache HTTP authentication to Active Directory with Kerberos

5.00 avg. rating (95% score) - 1 vote

First, create a user account for your Apache in the Active Directory. Let’s assume the AD Kerberos realm is KOO.FI, and the user name we have created is “apache”. Also create a computer account, let’s call that “apachesrv”.

Next, create two keytab files on the Windows server. One host keytab file and one service keytab file (long lines have been split):

Make sure that the principal name you are using (HTTP/your.server.com) has the actual domain name that is being requested from Apache by the web browser. If they differ, you will end up having error messages saying “failed to verify krb5 credentials: Server not found in Kerberos database” in you Apache error log.

You should now have binary files called krb5.keytab and keytab.HTTP in your current directory. Copy those files over to your Apache server into /etc.

Edit /etc/krb5.conf:

Test that your authentication works:

Enter the secret string you used earlier to create the machine account. If everything went correctly, you should be able to list the ticket:

Lastly, let’s configure Apache. My Apache server happened to be an Ubuntu box with Apache 2.2 installed. The Apache module mod_auth_kerb will take care of the authentication, so let’s install that:

Add a directory directive in your Apache configuration file:

Reload the changes to Apache, and you’re all set!

Some links:

http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
http://modauthkerb.sourceforge.net/configure.html

Leave a Reply