MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
Before Getting Started
You will need to have hands-on experiences with UNIX, Apache, and Kerberos before continuing on this article.
In this example, I will be using Tao Linux 1.0 as the Linux distribution base. Tao Linux is one of several projects to build a free Linux distribution from the source used in the Red Hat Enterprise product line. For more information about Tao Linux, please visit their web site at .
Tao Linux ships with Apache 2 and Kerberos 5. Please check with the User Guide for package installation.
Download the latest version of mod_auth_kerb from . We will be using this module to provide Kerberos protocol support in Apache.
Uncompress mod_auth_krb and follow the README file to install the module to your Apache's modules directory.
# zcat mod_auth_kerb-5.0-rc4.tar.gz | tar xvf - # cd mod_auth_kerb-5.0-rc4.tar.gz # ./configure --with-krb4=no --with-krb5=/usr/kerberos # make # make install
Append this line to the Apache configuration file. The default location for the configuration file is /etc/httpd/conf/httpd.conf.
Create a Kerberos keytab file and make it readable by all. This will be the key entry for the module that you installed in step 1. The format of the file is HTTP/replace_your_web_server_full_hostname_here@ACTIVE_DIRECTORY_FULL_DOMAIN_NAME
Configure the Kerberos configuration file. The default location for the configuration file is /etc/krb5.conf. Please see template below. Replace EXAMPLE.COM with your Active Directory domain's FQDN and dc-01/dc-02.example.com with your domain controllers' FQDN.
Create an .htaccess file and set up a basic authentication. Please see template below. Replace /path/auth_kerb.keytab with the location of the keytab file and EXAMPLE.COM with your Active Directory domain's FQDN.
AuthName "Kerberos Login" AuthType Kerberos Krb5Keytab /path/auth_kerb.keytab KrbAuthRealm EXAMPLE.COM KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user
Restart Apache daemon.
# service httpd restart
It is recommended that you tunnel basic password authentication via SSL in Apache using mod_ssl so the password will not be exposed in plain text format.
Questions and Answers
1) How do I test the Kerberos configuration file that I set up in step 4?
A: Execute "kinit valid_AD_account_username" and "klist" (without quotes). For example:
# kinit jdoe Password for jdoe@EXAMPLE.COM: XXXXXXXX