Apache and kerberos authentication within AD domain

I was asked lately to check some things connected with authentication users accessing Apache based web-site against AD. It is quite simple but requires some configuration so I’ve gathered things all together and here is is – how to make Apache web server authenticating users against AD using mod_auth_kerb module.

Here’s a recipe for mine dish:

• Debian Linux (www.debian.org)
• Apache 2.0.59 ( http://httpd.apache.org/download.cgi
• mod_auth_kerb 5.0rc7 ( http://modauthkerb.sourceforge.net/ )
• Linux Kerberos implementation – in mine case it was Heimdal Kerberos implementation installed from Debian packages installed with dependencies (which includes krb5-conf package)
• Windows 2003 Active Directory environment

I’ve installed Heimdal Kerberos implementation from debian package and Apache was compiled from sources with standard options.
First of all – Kerberos authentication. When connectivity between domain controller and Apache server is in place, name resolution was properly configured and time synchronization also is working between domain and Apache host we can configure authentication against Kerberos in our Linux system.
To do this we have to edit krb5.conf file placed in /etc directory to configure Kerberos realm for our domain. It’s pretty simple, we have to add our Kerberos realm configuration to this file as presented below (DOMAIN.COM is our AD domain):

[libdefaults]
 default_realm = DOMAIN.COM
 krb4_get_tickets = false

[realms]
DOMAIN.COM = {
 kdc = dc.domain.com
 admin = dc.domain.com
}

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

Please notice krb4_get_tickets = false directive in libdefaults section. It prevents from requesting Kerbers 4 tickets which are not used with AD, and without it some errors were logged and prevented authentication module from doing its work.
We can now test it by requesting ticket for valid AD user account with kinit utility:

kinit johndoe@DOMAIN.COM

If everything works fine we should be asked to provide johndoe password and get valid Kerberos ticket for this user (You can list tickets with klist utility). If something is not working and You are getting some error messages now its time to troubleshooting.
Assuming that our configuration is OK we have to build Kerberos authentication module from sources provided on project site. Generally You should stick to build procedure which is provided on project’s web site but … we need only Kerberos 5as AD doesn’t have Kerberos 4 implemented. In installation instructions we are advised to use –with-krb4=no directive to exclude support for Kerberos 4. But using this directive I wasn’t able to build this package, so I’ve dropped it and used only –with=krb5 directive for configure script and it was build without any errors.
Now its time for preparing AD account for Apache web server. Why we need this – because we need service principal for this host in our AD to be able to get valid ticket for it to out user.
To do this we have to create an account in AD directory and than associate our Apache web server service principal with this account . Before we can do this, we have to be sure that appropriate FQDN was assigned to our Apache host in DNS, as we have to use this name in this process. Basically we have to point our configuration to FQDN which will be used by users to access our web server (let’s assume that this was done and FQDN for our web server is apache.domain.com.
We have to create Kerberos keytab file which will be used in our configuration and to do this we have to use ktpass utility. Utility itself is a part of Support Tools and its usage is described in KB 3245144.
KTPass usage in our case should look like this:

ktpass -princ HTTP/apache.domain.com@DOMAIN.COM
-mapuser <username>
-crypto DES-CBC-MD5
-ptype KRB5_NT_PRINCIPAL
-mapop set +desonly
-pass <password> -out <keytab file name>

File produced as a result of this command should be delivered to our Apache web server. Be sure to remember to assign permissions to read this file for account which is used to run httpd process. Be sure that ServerName in Apache configuration file matches FQDN configured for this host in DNS and used when keytab file was generated.
Final step is Apache configuration to take advantage of our new module. This is done through configuration in chosen <Directory> section of httpd.conf file (or any other file with our Apache configuration).

AuthType Kerberos
AuthName “Kerberos realm” 
KrbServiceName HTTP
Krb5Keytab <keytab file path >
KrbMethodNegotiate on
KrbMethodK5Passwd off
require user < UPNs of users who should be able to access this web site>

Description of all configuration directives for Kerberos authentication module can be found on project web page.
If everything was done correctly You should be able to access this web page using credentials of users configured in require user directive, based on their AD credentials. Remember that You should access this web site using FQDN configured in DNS and in this version Kerberos authentication module doesn’t support logging using UPN from client side (You can’t specify johndoe@domain.com when You will be asked about credentials).

Few things to remember:

• DNS names resolution: if you are configuring Your solution be sure to take care about proper DNS names resolution between Your hosts, configuring rev-DNS entries for them is also good habit.
• Time synchronization: as Kerberos authorization strongly rely on time You have to put some time synchronization process between your Apache host and domain in place. NTP client is one of possible solutions.
• If You are experiencing some problems to get such configuration working LogLevel Debug directive in Apache configuration is Your friend. Most of useful information will be places in error_log.

My goal was also to check how this behaves in environment when two forests are configured with a trusts . Both forest were Windows 2003 in Windows 2003 mode, and one-way trust was configured between them. It works with any modifications to configuration specified above, to authenticate user across the trust only valid user name from trusted forest has to be added to configuration file.

As it was easy to predict selective authentication enabled for the trust has no effect on how users are authenticated against Apache web site. It always works well, which may be not desired but well … this mechanism was not intended to manage access to non-Windows hosts without host account in the domain.

What is missing in this story is authorization, mod_auth_kerb takes care only for authentication of a user but You can’t use it to authorize user against resources using AD groups for example. I’ve read some posts about using patched mod_auth_ldap to achieve this but I didn’t manage to get authorization based on mod_auth_ldap and AD groups working in my lab. Idea behind this is quite simple – user Kerberos for authentication, pass this authentication through to LDAP module and get only authorization based on group.

I’m still looking for solution, as patch which is available on some sites for mod_auth_ldap.c isn’t working in my case. If somebody has solved this problem – please send me an e-mail or leave comment under this post. If I will figure out something (probably solution is obvious but I’m not able to find it as it happens) I will post update for this entry.

That’s all for now.

After I’ve went through it by myself and I was looking for authorization solution on this module project’s forum I’ve found a lot of redirections to Achims Grolms web page which contains detailed “How to” regarding such configuration. Once again wheel has been reinvented. I’m posting also this url for anyone for whom my description contains not every detail they wanted to find – Achim’s page contains few more tips how to test it.