The following steps will help you to set up HTTP SSO with Apache using the Kerberos network authentication protocol:
- Ktpass command should be run with a domain admin
- password for the -pass argument must comply with Windows Server 2012 standards
Here's a command example:
ktpass -princ HTTP/uriahl.com@URIAHL.COM -mapuser apache -crypto All -DesOnly -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out apache.keytab
where
- uriahl.com is the fqdn of the Apache server
- URIAHL.COM is the Kerberos realm for which the keytab is being generated
- apache is the active directory being used to map the keytab
- apache.keytab is the keytab filename
apt-get install libapache2-mod-auth-kerb
Centos/RHEL:
yum install mod_auth_kerb
During the installation process, you’ll be prompted about several configuration options. You’ll need to enter your:
- Kerberos realm name, which, by convention, is your AD domain, written in all UPPERCASE letters (e.g., if your AD domain is domain.uriahl.com, your realm must be named DOMAIN.URIAHL.COM)
- KDC host (i.e., the hostname of the KDC machine)
- Administrative server’s hostname (Note: Depending on your setup, you might want to use the same value here as you did for the previous field.)
At this point, be sure to copy over your keytab file (which was generated in Step #1) to your Apache machine and secure it so that only the OS user who’s running Apache has access to it.
An example of a full SSL-equipped Apache VirtualHost configuration that proxies Artifactory and uses Kerberos authentication with the /artifactory location can look like the following (where the Krb5KeyTab directive is pointing to the location of the keytab file):
Listen 443 <VirtualHost *:443> ServerAdmin uriahl@uriahl.com ServerName apache.server.com SSLEngine on SSLCertificateFile /etc/ssl/certs/cert.crt SSLCertificateKeyFile /etc/ssl/certs/cert.key SSLProxyEngine on ErrorLog "/private/var/log/apache2/uriahl.com-error_log" CustomLog "/private/var/log/apache2/uriahl.com-access_log" common <Location /artifactory> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms DOMAIN.URIAHL.COM KrbLocalUserMapping On Krb5KeyTab /usr/local/apache2/keytab/apache.keytab require valid-user RewriteEngine On RewriteCond %{REMOTE_USER} (.+) RewriteRule . – [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location> RewriteEngine on RewriteCond %{SERVER_PORT} (.*) RewriteRule (.*) – [E=my_server_port:%1] #Note: In the following, the REQUEST_SCHEME header is supported only by Apache versions 2.4 and above: RewriteCond %{REQUEST_SCHEME} (.*) RewriteRule (.*) – [E=my_scheme:%1] RewriteCond %{HTTP_HOST} (.*) RewriteRule (.*) – [E=my_custom_host:%1] RewriteRule ^/$ /artifactory/webapp/ [R,L] RewriteRule ^/artifactory(/)?$ /artifactory/webapp/ [R,L] RewriteRule ^/artifactory/webapp$ /artifactory/webapp/ [R,L] RequestHeader set Host %{my_custom_host}e RequestHeader set X-Forwarded-Port %{my_server_port}e #Note: In the following, {my_scheme} requires a module that is supported only by Apache version 2.4 and above: RequestHeader set X-Forwarded-Proto %{my_scheme}e RequestHeader set X-Artifactory-Override-Base-Url %{my_scheme}e://artifactory_host:8081/artifactory ProxyPassReverseCookiePath /artifactory /artifactory ProxyRequests off ProxyPreserveHost on ProxyPass /artifactory/ http://artifactory_host:8081/artifactory/ ProxyPassReverse /artifactory/ http://artifactory_host:8081/artifactory/ </VirtualHost>
In this example, you can see a root httpd.conf file, which loads the mod_auth_kerb module by specifying:
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
Additionally, for the mod_auth_kerb module, the modules below are required for the configuration above to work:
mod_headers mod_proxy mod_ssl mod_rewrite mod_prox_http
3. Configure Artifactory to accept HTTP SSO authentication based on the REMOTE_USER header.
Debugging Common Failures
- Error #1
[Mon Jun 27 13:54:42.271303 2016] [auth_kerb:error] [pid 2301:tid 140157256722176] [client 192.168.99.1:54417] krb5_get_init_creds_password() failed: KDC has no support for encryption type
This could mean that your active directory has not been configured to support the encryption algorithm you used when generating your keytab file. In the example above, although the -All value was used to indicate that the generated keytab will support all algorithms, you may want to tweak this to use only the strongest encryption types.
Step-by-step instructions on enabling the various encryption types supported by your AD domain is available HERE. Information HERE may also be helpful to you.
- Error #2
[Mon Jun 27 12:25:10.517382 2016] [auth_kerb:error] [pid 1375:tid 140157248329472] [client 192.168.99.1:52174] failed to verify krb5 credentials: Server not found in Kerberos database
As regards the Apache error log message, “Server not found in Kerberos database," information available HERE may be useful to you.
Learn More