Seamless authentication for corporate users on an external website

Background:

Global company with multiple locations and disparate networks and IT systems. The majority of the networks are Windows based and running Active Directory and some are connected via ADFS. Some are pure MAC networks. One location doesn't have a network or domain controller.

An external website hosted on a LAMP environment (Centos 6, Apache 2.2, MySQL 5.1, PHP 5.3) acts as the company intranet. Currently users have to log in to the intranet with a different set of credentials to their domain account.

Scenario:

The web team want to enable users to enjoy seamless authentication so they do not need to log in to the intranet when accessing from inside any of the corporate networks but also to enable them to use their domain credentials when accessing the site from home or outside of the office.

Other users will continue to have a separate user name and password.

For Consideration:

  • Users have a choice of browsers
  • UK company IT support are Windows only
  • Web team are LAMP based with minimal knowledge of IIS
  • If successful for UK the system will be extended to all other countries
  • Another project is ongoing to connect all windows networks within the company using ADFS but that won't be complete for 6 months +

I have gone through the forum and found a number of posts and answers that take me some of the way but still leave me with a few questions, the primary one being: Can we achieve seamless authentication for corporate users on an external website?

Some of the posts I have reviewed

  • AD Single sign on ...
  • Automatically authenticating windows users ...
  • Check AD users with LDAP ...
  • Microsoft AD and php ...

For anyone who comes across this post we did the following:

  1. Create a VPN tunnel between the web server and a DC in the AD Forest
  2. Edited /etc/hosts file to add mappings for each domain kdc in the forest
  3. Edited /etc/krb5.conf to specify the realms and their kdcs, and added domain realm mappings for each
  4. Edited virtual host file for the site to add a location (you could use a directory block) requiring kerberos authentication.
  5. Added a space separated list of all realms to location block
  6. Generated keytab files for each domain and installed them on the Linux server

Probably not ideal but it works.

Set up a VPN between the web server


Simple answer is yes, it can be achieved.

I've edited the question with the steps we took to achieve the seamless authentication. I have left out the VPN tunnel configuration as that was not part of my remit but basically you need to allow TCP / UDP bi-directional traffic over ports 88 and 750 for kerberos.