Providing Active Directory authentication via Kerberos protocol in Apache

Before Getting Started
 
You will need to have hands-on experiences with UNIX, Apache, and Kerberos before continuing on this article.
 
In this example, I will be using Tao Linux 1.0 as the Linux distribution base.  Tao Linux is one of several projects to build a free Linux distribution from the source used in the Red Hat Enterprise product line.  For more information about Tao Linux, please visit their web site at http://taolinux.org.
 
Tao Linux ships with Apache 2 and Kerberos 5.  Please check with the User Guide for package installation.
 
Download the latest version of mod_auth_kerb from http://modauthkerb.sourceforge.net.  We will be using this module to provide Kerberos protocol support in Apache.
 
 
Step 1
 
Uncompress mod_auth_krb and follow the README file to install the module to your Apache's modules directory.
 
# zcat mod_auth_kerb-5.0-rc4.tar.gz | tar xvf -
# cd mod_auth_kerb-5.0-rc4.tar.gz
# ./configure --with-krb4=no --with-krb5=/usr/kerberos
# make
# make install
 
 
Step 2
 
Append this line to the Apache configuration file.  The default location for the configuration file is /etc/httpd/conf/httpd.conf.
 
LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 
Step 3
 
Create a Kerberos keytab file and make it readable by all.  This will be the key entry for the module that you installed in step 1.  The format of the file is HTTP/replace_your_web_server_full_hostname_here@ACTIVE_DIRECTORY_FULL_DOMAIN_NAME
 
# echo HTTP/intranet.example.com@EXAMPLE.COM > /path/auth_kerb.keytab
# chmod ugo+r /path/auth_kerb.keytab
 
 
Step 4
 
Configure the Kerberos configuration file.  The default location for the configuration file is /etc/krb5.conf.  Please see template below.  Replace EXAMPLE.COM with your Active Directory domain's FQDN and dc-01/dc-02.example.com with your domain controllers' FQDN.
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 
[realms]
 EXAMPLE.COM = {
  kdc = dc-01.example.com:88
  kdc = dc-02.example.com:88
 }
 
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 
 
Step 5
 
Create an .htaccess file and set up a basic authentication.  Please see template below.  Replace /path/auth_kerb.keytab with the location of the keytab file and EXAMPLE.COM with your Active Directory domain's FQDN.
 
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /path/auth_kerb.keytab
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate off
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user
 
 
Step 6
 
Restart Apache daemon.
 
# service httpd restart
 
 
Notes
 
It is recommended that you tunnel basic password authentication via SSL in Apache using mod_ssl so the password will not be exposed in plain text format.
 
 
Questions and Answers
 
1) How do I test the Kerberos configuration file that I set up in step 4?
 
A: Execute "kinit valid_AD_account_username" and "klist" (without quotes).  For example:
 
# kinit jdoe
Password for jdoe@EXAMPLE.COM: XXXXXXXX
 
# Klist
Ticket cache: FILE/tmp/krb5cc_999
Default principal: jdoe@EXAMPLE.COM
 
Valid starting     Expires            Service principal
04/15/04 18:00:00  04/16/04 18:00:00  krbtgt/EXAMPLE.COM@EXAMPLE.COM
 
Kerberos 4 ticket cache: /tmp/tkt999
Klist: You have no tickets cached
 
Don't forget to execute "kdestroy" (without quotes) to clear out the ticket file.