Single Sign On for intranet with Apache and Linux MIT Kerberos
EDIT: SOLVED! See my answer below.
Greetings, I am looking for a way to do a single sign on to an intranet in the following manner:
- A Linux user logs on via a graphical frontend (for example, GNOME).
- He automatically requests a TGT for his username from the MIT Kerberos KDC.
- Via some way or another, the Apache server (which we'll assume is on the same server as the KDC), is informed that this user has logged in.
- When the user accesses the intranet, he is automatically granted access to his web applications.
I don't think I've seen this kind of functionality while searching the net. I know the following possibilities exist:
- Using an authentication module such as mod_auth_kerb, a user is presented with a login prompt to enter his username and password, which are then authenticated against the MIT Kerberos server. (I would like this to be automatic.)
- IIS supports integrated Windows logon via ASP.Net when the user is part of an Active Directory. (I'm looking for the Linux / Apache equivalent.)
Any suggestions, criticism and ideas are highly appreciated. This is for a school project to show a proof-of-concept, so every handy piece of information is more than welcome. :)
I found it!
I followed the instructions on https://help.ubuntu.com/community/SingleSignOn (See: "Application Installation") to configure the Apache webserver.
Here is my httpd.conf [IMAGE]:
ServerName www.eindwerk.lan
< Directory /var/www/ > Options Indexes FollowSymLinks MultiViews
AllowOverride None Order allow,deny allow from all AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd on
AuthName "Kerberos Login" KrbAuthRealm EINDWERK.LAN Krb5Keytab /etc/apache2/auth/apache2.keytab require valid-user
< /Directory >
-
Then, I configured Mozilla Firefox to trust my internal site (www.eindwerk.lan) [IMAGE]:
network.negotiate-auth.delegation-uris : eindwerk.lan
network.negotiate-auth.trusted-uris: eindwerk.lan
Do a
kinit
in a terminal. [IMAGE]-
Browse to the internal site: You are now automatically logged in!
How does this work?
- Mozilla Firefox does a regular HTTP/GET request.
- Apache replies with HTTP/401 Authorization Required.
- Mozilla Firefox replies with the Kerberos token we just got with
kinit
. [IMAGE OF WIRESHARK CAPTURE] - Kerberos authentication occurs, and Apache replies with HTTP/200 OK.
Do a
klist
in a terminal. You should see the ticket for the webserver! [IMAGE]Do a
kdestroy
in a terminal. [IMAGE]Hard refresh (CTRL+F5) the internal site. You are now presented with a login prompt! [IMAGE]