cursorblinken

Using Apache mod_auth_kerb for authentication/authorization against Windows domain


1. (Windows) Create account for HTTP/, map it to Kerberos principal & export the keytab.

Import-Module ActiveDirectory

New-ADUser unixcomputer_http -UserPrincipalName "unixcomputer_http@company.test" -CannotChangePassword 1 -PasswordNeverExpires 1 -Enabled 1 -Path 'OU=Service Accounts,OU=Unix Systems,OU=09_Corporate_Apps,DC=company,DC=test' -DisplayName "unixcomputer_http.company.test" -Description "Used for Kerberos authentication" -Company "Company" -Department "IS&T" -Division "USG" -Country "CA" -City "Calgary" -AccountPassword (ConvertTo-SecureString -string "SomeReallySecurePassword" -asplaintext -force)

ktpass -princ HTTP/unixcomputer.company.test@COMPANY.TEST -mapuser unixcomputer@company.test -pType KRB5_NT_PRINCIPAL +rndpass -out unixcomputer_http.keytab

Securely copy the keytab to /var/www/conf

2. (OpenBSD) Set permissions on keytab & add mod_auth_kerb package

chown root.www /var/www/conf/unixcomputer_http.keytab

pkg_add mod_auth_kerb-5.3p6.tgz
/usr/local/sbin/mod_auth_kerb-enable

3. Configure Apache for Kerberos auth. Example:

LoadModule auth_kerb_module /usr/lib/apache/modules/mod_auth_kerb.so
<Location "/cgi-bin/cvsweb">
    AuthType Kerberos
    Krb5Keytab /conf/unixcomputer_http.keytab
    KrbServiceName HTTP
    KrbAuthRealms COMPANY.TEST
    KrbVerifyKDC on
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    require user admin@COMPANY.TEST user1@COMPANY.TEST user2@COMPANY.TEST
</Location>

Links:

mod_auth_kerb homepage

Using mod_auth_kerb and Windows 2000/2003/2008R2 as KDC

Using negotiate authentication (GSSAPI Kerberos) with Firefox