Single Sign On for intranet with Apache and Linux MIT Kerberos

apache-2.2 active-directory kerberos single-sign-on mitkerberos

EDIT: SOLVED! See my answer below.

Greetings, I am looking for a way to do a single sign on to an intranet in the following manner:

  1. A Linux user logs on via a graphical frontend (for example, GNOME).
  2. He automatically requests a TGT for his username from the MIT Kerberos KDC.
  3. Via some way or another, the Apache server (which we'll assume is on the same server as the KDC), is informed that this user has logged in.
  4. When the user accesses the intranet, he is automatically granted access to his web applications.

I don't think I've seen this kind of functionality while searching the net. I know the following possibilities exist:

  • Using an authentication module such as mod_auth_kerb, a user is presented with a login prompt to enter his username and password, which are then authenticated against the MIT Kerberos server. (I would like this to be automatic.)
  • IIS supports integrated Windows logon via ASP.Net when the user is part of an Active Directory. (I'm looking for the Linux / Apache equivalent.)

Any suggestions, criticism and ideas are highly appreciated. This is for a school project to show a proof-of-concept, so every handy piece of information is more than welcome. :)


I found it!

I followed the instructions on https://help.ubuntu.com/community/SingleSignOn (See: "Application Installation") to configure the Apache webserver.

Here is my httpd.conf [IMAGE]:

ServerName www.eindwerk.lan

< Directory /var/www/ > Options Indexes FollowSymLinks MultiViews

   AllowOverride None
   Order allow,deny
   allow from all

  AuthType Kerberos

KrbMethodNegotiate on

KrbMethodK5Passwd on

  AuthName "Kerberos Login"
  KrbAuthRealm EINDWERK.LAN
  Krb5Keytab /etc/apache2/auth/apache2.keytab
  require valid-user

< /Directory >

  1. Then, I configured Mozilla Firefox to trust my internal site (www.eindwerk.lan) [IMAGE]:

    network.negotiate-auth.delegation-uris : eindwerk.lan

    network.negotiate-auth.trusted-uris: eindwerk.lan

  2. Do a kinit in a terminal. [IMAGE]

  3. Browse to the internal site: You are now automatically logged in!

    How does this work?

    • Mozilla Firefox does a regular HTTP/GET request.
    • Apache replies with HTTP/401 Authorization Required.
    • Mozilla Firefox replies with the Kerberos token we just got with kinit. [IMAGE OF WIRESHARK CAPTURE]
    • Kerberos authentication occurs, and Apache replies with HTTP/200 OK.

  4. Do a klist in a terminal. You should see the ticket for the webserver! [IMAGE]

  5. Do a kdestroy in a terminal. [IMAGE]

  6. Hard refresh (CTRL+F5) the internal site. You are now presented with a login prompt! [IMAGE]

Related

How can I get apache to serve static content in a reverse-proxied setup?
Scaling beyond 65k open files (TCP connections)
How to check who blocks ICMP during MTU path negotiation?
Postfix block local user from sending
Linux Kernel crash mutex_lock_slowpath "blocked for more than 120 seconds". What to do?
How Can I forward all requests from my GoDaddy domain name to my DynDns entry?
Debugging mysql too many connections problem
How to replace a text string in multiple files in Linux
TIME_WAIT in netstat of Apache processes
active directory + squid planning for a large network with over than 7000 users
Can I use multiple email servers at once?
Configuring ASP.NET MVC2 on Apache 2.2 using mod_aspdotnet