This guide explains how to set up Kerberos authentication for an HTTP service on a corporate network based on Active Directory.
All instructions will use the following placeholders:
COMPANYAD.COM: Windows DomainCOMPANYAD: NETBIOS Domaincompanyad.com: network domainhttp://service/andhttp://service.companyad.com/: URLs of the serviceservice.companyad.com: FQDN for the server — this must be the reverse DNS of its IP address!service: username of the account for the service
No setup required, provided the computer is in the Windows Domain.
- Open the Keychain Access application.
- In the Keychain Access menu, select Ticket Viewer.
- Add an identity: [email protected] / your password.
- Set this identity as default.
- Install Kerberos utilities e.g.
sudo apt-get install krb5-useron Debian. - Run
kinit [email protected]and enter your password. - (Optional) Check that you have a valid ticket with
klist - (Recommended) Run a ticket renewal task eg.
watch -n 3600 "kinit -R"
The following instructions allow accessing any internal website, with or without specifying the domain name.
This setup is required on any operating system.
- Enter about:config in the address bar.
- Read the warning and acknowledge it.
- Enter negotiate in the search field.
- Change the following options:
- Double-click on network.negotiate-auth.allow-non-fqdn to set it to true.
- Double-click on network.negotiate-auth.delegation-uris and set it to .companyad.com
- Double-click on network.negotiate-auth.trusted-uris and set it to .companyad.com
No setup is required.
No setup is required on Windows.
On OS X or Linux, you can start Chrome with the --auth-server-whitelist=.companyad.com command-line option or create a policy that sets AuthServerWhitelist to .companyad.com.
No setup is required.
On Windows, you need to use the fully-qualified domain name.
We're going to use Apache on Debian because it provides off-the-shelf support for Kerberos.
(If you're using nginx, look at spnego-http-auth-nginx-module. I've heard that it works.)
This is the short version for Windows 2008. For more information, see Resources below.
- Create a user account called service:
- Note the password.
- Deselect "User must change password at next logon".
- Select "User cannot change password".
- Select "Password never expires".
- In the "Attribute Editor" tab (enable "Advanced features" in the "View" menu to make it appear):
- Find the userPrincipalName attribute and set it to
HTTP/[email protected]
- Find the userPrincipalName attribute and set it to
- As an admin, run:
setspn –A HTTP/[email protected] COMPANYAD\service - In the "Account tab":
- Enable "The account supports Kerberos AES 128 bit encryption".
- Enable "The account supports Kerberos AES 256 bit encryption".
- As an admin, run:
ktpass -out service.companyad.com.keytab -princ HTTP/[email protected] -mapuser [email protected] -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL - Transfer
service.companyad.com.keytabsecurely to the web server and save it as/etc/apache2/service.companyad.com.keytab.
-
Install the Kerberos module. When prompted, set the Kerberos domain to
COMPANYAD.COM.$ sudo apt-get install libapache2-mod-auth-kerb -
Make the keytab file readable only by the user under which the web server runs.
$ sudo chown root:www-data /etc/apache2/service.companyad.com.keytab $ sudo chmod 640 /etc/apache2/service.companyad.com.keytab -
In the relevant virtual host configuration, add:
<Location /> AuthName "service" AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd Off KrbServiceName HTTP/[email protected] KrbAuthRealms COMPANYAD.COM Krb5KeyTab /etc/apache2/service.companyad.com.keytab KrbLocalUserMapping On Require valid-user </Location>The only part that's really optional is
KrbLocalUserMapping. Leave it out if you want usernames in the form[email protected]rather than justfirstname.lastname. -
Restart Apache.
$ sudo service apache2 restart
- A practical tutorial (in French): http://wiki.kogite.fr/index.php/Kerberos_et_mod_auth_kerb_pour_SSO_sur_Active_Directory
- An extensive tutorial: http://www.grolmsnet.de/kerbtut/