Authenticate Linux/Apache to Microsoft AD using mod_auth_kerb ------------------------------------------------------------- 2009-01-08 1. make sure kerberos is installed (krb5-libs) 2. set up /etc/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = dc.example.com:88 admin_server = dc.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM ---> this line was not in the krb5.conf on anotherbox.example.com <--- 3. test authentication: kinit user@EXAMPLE.COM (domain is case sensitive) klist (should show a ticket) 4. create an AD user for the service principal. Both username and password must be letters and numbers only, no punctuation. (users are in the Computers OU for now) 5. On the AD domain's PDC Emulator run: ktpass -princ HTTP/.example.com@EXAMPLE.COM -mapuser -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass -out c:\.keytab 5a. Use SETSPN -L to check the result. If something is wrong, use SETSPN to remove all prior SPNs, then try again. 6. copy c:\keytab from dc.example.com to the linux box's /etc/httpd/conf/ 7. make sure gcc, make, automake, krb5-devel, and httpd-devel are installed. 8. yum install mod_auth_kerb 9. Edit the conf file for the service to be authenticated and add: AuthType Kerberos KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP Krb5Keytab /etc/httpd/conf/.keytab KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user 10. service httpd restart 11. Clients must access the site using http(s)://.example.com - if the web site has aliases, then each alias must have its own service principal. For IE to log in automatically without prompting for a password, the user must also have the URL added to their "Trusted Sites" zone, either by manual configuration or by group policy.