Debian 8 Jessie
Sponsored Link

Kerberos Authentication
2015/06/03
 
Enable Kerberos Authentication to limit access on specific web pages. Users can authenticate via Windows Active Directory.
Therefore it's necessarry to be running Windows Active Directory in your LAN.
This example based on the environment below.
Domain Server : Windows Server 2012 R2
Domain Name : FD3S01
Realm : FD3S.SRV.WORLD
Hostname : fd3s.srv.world
[1] For example, set Kerberos Authentication under the directory [/var/www/html/auth-kerberos] and also set to be required SSL connection.
root@www:~#
aptitude -y install libapache2-mod-auth-kerb
# specify Realm name

 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | FD3S.SRV.WORLD________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# specify Active Directory hostname

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostnames of Kerberos servers in the FD3S.SRV.WORLD Kerberos |
 | realm separated by spaces.                                                |
 |                                                                           |
 | Kerberos servers for your realm:                                          |
 |                                                                           |
 | fd3s.srv.world________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
 
# specify Active Directory hostname

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the FD3S.SRV.WORLD Kerberos realm.                                     |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | fd3s.srv.world________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

# create keytab : HTTP/[AD's hostname or IP address]@[Realm name]

root@www:~#
echo "HTTP/fd3s.srv.world@FD3S.SRV.WORLD" > /etc/krb5.keytab
root@www:~#
vi /etc/apache2/sites-available/auth-kerberos.conf
# create new

<Directory /var/www/html/auth-kerberos>
    SSLRequireSSL
    AuthType Kerberos
    AuthName "Kerberos Authntication"
    KrbAuthRealms FD3S.SRV.WORLD
    Krb5Keytab /etc/krb5.keytab
    KrbMethodNegotiate Off
    KrbSaveCredentials Off
    KrbVerifyKDC Off
    Require valid-user
</Directory>

root@www:~#
mkdir /var/www/html/auth-kerberos

root@www:~#
a2ensite auth-kerberos

Enabling site auth-kerberos.
To activate the new configuration, you need to run:
  service apache2 reload

root@www:~#
systemctl restart apache2
# create a test page

[root@www ~]#
vi /var/www/html/auth-kerberos/index.html
<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Test Page for Kerberos Auth
</div>
</body>
</html>
  Access to the test page with web browser, then authentication is required. Input user name on Active Directory and authenticate here.
  Just accessed.
 
Tweet