apache using mod_auth_kerb always asks for the password twice

apache-2.2 kerberos mod-auth-kerb

Solution 1:

I don't know if you still need the answer, but I hope I will help someone else by sharing my experience. I believe if you follow theese steps, everything will work fine.

  1. Make sure you have proper DNS entry for SYD01TBUG02 (A record) on your DNS server pointing to your webserver
  2. Make sure that you've you have assosiation between SPN of your webservice and AD user. On AD server run this command:

    setspn -A HTTP/SYD01TBUG02.onevue.com.au.local ad_username

  3. Make sure that you've proper keytab generated. Run this command in your AD server:

    ktpass -princ HTTP/[email protected] -mapuser ad_username -pass xxxxxx -crypto ALL -ptype KRB5_NT_PRINCIPAL -out SYD01TBUG02.keytab -setupn -setpass

    where xxxxxx is AD user password. We use -crypto ALL option to make sure we add all supported hashes to the keytab file.
  4. Now you should copy generated SYD01TBUG02.keytab file to your webserver and copy it to the certain directory. For example, let's copy it to the /etc/apache2/keytab/ folder.
  5. Example of apache config file for webservice: 
    &ltVirtualHost *:80>
    DocumentRoot "/var/www/kerberos"
    ServerName SYD01TBUG02.onevue.com.au.local
    ServerAlias SYD01TBUG02
    AddDefaultCharset UTF-8
    DirectoryIndex index.php
    ErrorLog /var/log/apache2/error_SYD01TBUG02.log
    TransferLog /var/log/apache2/transfer_SYD01TBUG02.log
    LogLevel warn
    ServerAdmin [email protected]
    
    &ltLocation "/">
        AuthType Kerberos
        KrbAuthRealms ONEVUE.COM.AU.LOCAL
        KrbServiceName HTTP/[email protected]
        Krb5Keytab /etc/apache2/keytab/SYD01TBUG02.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        KrbVerifyKDC on
        require valid-user    
    &lt/Location>
    &ltDirectory />
    &lt/Directory>
&lt/VirtualHost>
    6. Reload or restart apache sudo service apache2 reload
  6. Now if you type http://SYD01TBUG02/ in your browser address bar, you will be automatically logged in your web service via SSO (Chrome, Chromium-like browsers and IE support SSO out of box, but there is also a plugin for Firefox).

Hope that will help to set up your Kerberos auth on webserver.

P.S. If you want to enable SSO by full address (e.g. SYD01TBUG02.onevue.com.au.local) you should add SYD01TBUG02.onevue.com.au.local to the intranet zone either via AD Group Policies (if wou need this on several machines in domain) or locally via Internet Explorer settings. Theese settings affect on all browsers installed in system.

Solution 2:

That's because the first time the user enters u/p an ntlm token is sent to the server. The second time it's the correct kerberos token.

Unfortunately there is no way you can eliminate the first prompt.

Related

Is this in passive voice? + what are reasons for ever using passive?
Is using "since" and "ago" with the present perfect correct? [duplicate]
Difference between "What time do you come to class every day?" and "What time do you go to class every day?"
Present perfect VS infinitive verb
pattern to predict -ent vs -ant? [duplicate]
The use of preposition in this case
Word for focusing on the details to the detriment of the whole? [duplicate]
What could be an idiom describing the action of looking for something in the wrong place?
Phonetical language spelling
What do we call the receiver of a distribution
Correlate is to Correlation as X is to Causation [closed]
Sentence construction: "This and this yield/s"