ARTIFACTORY: Configuring an HTTP SSO with Apache and Kerberos

JFrog Support
2021-03-29 12:29

The following steps will help you to set up HTTP SSO with Apache using the Kerberos network authentication protocol:

  1. Generate a keytab file for your Apache host using the Ktpass tool, where the:
  • Ktpass command should be run with a domain admin
  • password for the -pass argument must comply with Windows Server 2012 standards

Here's a command example:

ktpass -princ HTTP/uriahl.com@URIAHL.COM -mapuser apache -crypto All -DesOnly -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out apache.keytab

where

  • uriahl.com is the fqdn of the Apache server
  • URIAHL.COM is the Kerberos realm for which the keytab is being generated
  • apache is the active directory being used to map the keytab
  • apache.keytab is the keytab filename
2.Configure the HTTPD VirtualHost to use the auth_kerb_module and its corresponding directives. Note: HTTPD doesn’t usually come with this module already installed, so you may need to install it manually with the following Debian-based add-ons:

apt-get install libapache2-mod-auth-kerb

Centos/RHEL:

yum install mod_auth_kerb

During the installation process, you’ll be prompted about several configuration options. You’ll need to enter your:

  • Kerberos realm name, which, by convention, is your AD domain, written in all UPPERCASE letters (e.g., if your AD domain is domain.uriahl.com, your realm must be named DOMAIN.URIAHL.COM)
  • KDC host (i.e., the hostname of the KDC machine)
  • Administrative server’s hostname (Note: Depending on your setup, you might want to use the same value here as you did for the previous field.)

At this point, be sure to copy over your keytab file (which was generated in Step #1) to your Apache machine and secure it so that only the OS user who’s running Apache has access to it.

An example of a full SSL-equipped Apache VirtualHost configuration that proxies Artifactory and uses Kerberos authentication with the /artifactory location can look like the following (where the Krb5KeyTab directive is pointing to the location of the keytab file):

Listen 443

<VirtualHost *:443>

ServerAdmin uriahl@uriahl.com

ServerName apache.server.com

SSLEngine on

SSLCertificateFile /etc/ssl/certs/cert.crt

SSLCertificateKeyFile /etc/ssl/certs/cert.key

SSLProxyEngine on

ErrorLog "/private/var/log/apache2/uriahl.com-error_log"

CustomLog "/private/var/log/apache2/uriahl.com-access_log" common

<Location /artifactory>

  AuthType Kerberos

  AuthName "Kerberos Login"

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbAuthRealms DOMAIN.URIAHL.COM

KrbLocalUserMapping On

Krb5KeyTab /usr/local/apache2/keytab/apache.keytab

require valid-user

RewriteEngine On

RewriteCond %{REMOTE_USER} (.+)

RewriteRule . – [E=RU:%1]

RequestHeader set REMOTE_USER %{RU}e

</Location>

RewriteEngine on

RewriteCond %{SERVER_PORT} (.*)

RewriteRule (.*) – [E=my_server_port:%1]

#Note: In the following, the REQUEST_SCHEME header is supported only by Apache versions 2.4 and above:

RewriteCond %{REQUEST_SCHEME} (.*)

RewriteRule (.*) – [E=my_scheme:%1]

RewriteCond %{HTTP_HOST} (.*)

RewriteRule (.*) – [E=my_custom_host:%1]

RewriteRule ^/$  /artifactory/webapp/ [R,L]

RewriteRule ^/artifactory(/)?$  /artifactory/webapp/ [R,L]

RewriteRule ^/artifactory/webapp$  /artifactory/webapp/ [R,L]

RequestHeader set Host %{my_custom_host}e

RequestHeader set X-Forwarded-Port %{my_server_port}e

#Note: In the following, {my_scheme} requires a module that is supported only by Apache version 2.4 and above:

RequestHeader set X-Forwarded-Proto %{my_scheme}e

RequestHeader set X-Artifactory-Override-Base-Url %{my_scheme}e://artifactory_host:8081/artifactory

ProxyPassReverseCookiePath /artifactory /artifactory

ProxyRequests off

ProxyPreserveHost on

ProxyPass /artifactory/ http://artifactory_host:8081/artifactory/

ProxyPassReverse /artifactory/ http://artifactory_host:8081/artifactory/

</VirtualHost>

In this example, you can see a root httpd.conf file, which loads the mod_auth_kerb module by specifying:

LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so

Additionally, for the mod_auth_kerb module, the modules below are required for the configuration above to work:
 

mod_headers

mod_proxy

mod_ssl

mod_rewrite

mod_prox_http

 

3. Configure Artifactory to accept HTTP SSO authentication based on the REMOTE_USER header.

Debugging Common Failures

  • Error #1

[Mon Jun 27 13:54:42.271303 2016] [auth_kerb:error] [pid 2301:tid 140157256722176] [client 192.168.99.1:54417] krb5_get_init_creds_password() failed: KDC has no support for encryption type

This could mean that your active directory has not been configured to support the encryption algorithm you used when generating your keytab file. In the example above, although the -All value was used to indicate that the generated keytab will support all algorithms, you may want to tweak this to use only the strongest encryption types.

Step-by-step instructions on enabling the various encryption types supported by your AD domain is available HERE. Information HERE may also be helpful to you.

  • Error #2

[Mon Jun 27 12:25:10.517382 2016] [auth_kerb:error] [pid 1375:tid 140157248329472] [client 192.168.99.1:52174] failed to verify krb5 credentials: Server not found in Kerberos database

As regards the Apache error log message, “Server not found in Kerberos database," information available HERE may be useful to you.

Learn More

  • A good Kerberos overview is available HERE.
  • More information about the Kerberos Module for Apache is available HERE.
  • More information about configuring Apache to use Kerberos authentication is available HERE.