Single Sign On for intranet with Apache and Linux MIT Kerberos

EDIT: SOLVED! See my answer below.

Greetings, I am looking for a way to do a single sign on to an intranet in the following manner:

  1. A Linux user logs on via a graphical frontend (for example, GNOME).
  2. He automatically requests a TGT for his username from the MIT Kerberos KDC.
  3. Via some way or another, the Apache server (which we'll assume is on the same server as the KDC), is informed that this user has logged in.
  4. When the user accesses the intranet, he is automatically granted access to his web applications.

I don't think I've seen this kind of functionality while searching the net. I know the following possibilities exist:

  • Using an authentication module such as mod_auth_kerb, a user is presented with a login prompt to enter his username and password, which are then authenticated against the MIT Kerberos server. (I would like this to be automatic.)
  • IIS supports integrated Windows logon via ASP.Net when the user is part of an Active Directory. (I'm looking for the Linux / Apache equivalent.)

Any suggestions, criticism and ideas are highly appreciated. This is for a school project to show a proof-of-concept, so every handy piece of information is more than welcome. :)


I found it!

I followed the instructions on https://help.ubuntu.com/community/SingleSignOn (See: "Application Installation") to configure the Apache webserver.

Here is my httpd.conf [IMAGE]:

ServerName www.eindwerk.lan

< Directory /var/www/ > Options Indexes FollowSymLinks MultiViews

   AllowOverride None
   Order allow,deny
   allow from all

  AuthType Kerberos

KrbMethodNegotiate on

KrbMethodK5Passwd on

  AuthName "Kerberos Login"
  KrbAuthRealm EINDWERK.LAN
  Krb5Keytab /etc/apache2/auth/apache2.keytab
  require valid-user

< /Directory >

  1. Then, I configured Mozilla Firefox to trust my internal site (www.eindwerk.lan) [IMAGE]:

    network.negotiate-auth.delegation-uris : eindwerk.lan

    network.negotiate-auth.trusted-uris: eindwerk.lan

  2. Do a kinit in a terminal. [IMAGE]

  3. Browse to the internal site: You are now automatically logged in!

    How does this work?

    • Mozilla Firefox does a regular HTTP/GET request.
    • Apache replies with HTTP/401 Authorization Required.
    • Mozilla Firefox replies with the Kerberos token we just got with kinit. [IMAGE OF WIRESHARK CAPTURE]
    • Kerberos authentication occurs, and Apache replies with HTTP/200 OK.
  4. Do a klist in a terminal. You should see the ticket for the webserver! [IMAGE]

  5. Do a kdestroy in a terminal. [IMAGE]

  6. Hard refresh (CTRL+F5) the internal site. You are now presented with a login prompt! [IMAGE]