Authenticating Apache Virtual Hosts with Kerberos

Below is a quick walk through on setting up an Apache virtual host with kerberos authentication.

If you use or are looking to integrate single sign on into your websites or web based applications in your environment, this will be for you.

Example Details

In this article I will be setting up a new website called mysite.example.com, using the below details.

Web Server Name: web01.example.com
Web Server Operating System: Red Hat Enterprise Linux 6.3
Kerberos Realm: EXAMPLE.COM
Kerberos Username: testuser

Pre-requisites

This article is specifically based on setting up kerberised Apache hosts. It is assumed that you already have a fully functional kerberised realm with kerberised workstations.

This is required as we will be testing the Single Sign On capabilities from a kerberised workstation by using our kerberos test user.

To continue with the installation, please read on.

 

Step 1. Install packages

We need to install Apache and the kerberos module in order to continue.
Please run the following to install the packages we need.

[root@web02 ~]# yum install -y httpd mod_auth_kerb

 

Step 2. Start Apache

Make sure you enable Apache to start on boot, as well as starting the service.

[root@web01 ~]# chkconfig httpd on
[root@web01 ~]# service httpd start
Starting httpd: [ OK ]
[root@web01 ~]#

 

Step 3. Open Firewall

You should open up tcp port 80 for Apache to be accessible through the firewall. If you wish to set up an SSL based website, you should also open tcp port 443.

[root@web01 ~]# iptables -I INPUT -p tcp –dport 80 -j ACCEPT
[root@web01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@web01 ~]#

 

Step 4. Create service principle keytab

Depending on your kerberos infrastructure, you will do this in differing ways.

If you are using FreeIPA, you can achieve this as follows.
On your IPA server, run the following:

[root@ds01 ~]# kinit admin
Password for admin@EXAMPLE.COM:
[root@ds01 ~]# ipa service-add HTTP/web01.example.com
————————————————–
Added service “HTTP/web01.example.com@EXAMPLE.COM”
————————————————–
Principal: HTTP/web01.example.com@EXAMPLE.COM
Managed by: web01.example.com
[root@ds01 ~]# ipa-getkeytab -s ds01.example.com -p HTTP/web01.example.com -k /root/web01.example.com-http.keytab
Keytab successfully retrieved and stored in: /root/web01.example.com-http.keytab
[root@ds01 ~]#

 

Step 5. Copy keytab to web server

Copy your new keytab file to your web server.

If your kerberos server happens to be a Linux based server, or if you ran the above steps in step 4, run the following.

[root@ds01 ~]# scp /root/web01.example.com-http.keytab root@web01.example.com:/etc/httpd/

 

Step 6. Create directories for new website
As we a creating a new stand alone virtual host in Apache, we should create a new directory structure for our website.

To do this, run the following.

[root@web01 ~]# mkdir -p /var/www/mysite.example.com/html

 

Step 7. Create new Virtual Host configuration file.

Create a new text file called /etc/httpd/conf.d/mysite.example.com.conf with the below contents

<VirtualHost *:80>
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/mysite.example.com/html
    ServerName mysite.example.com
    ErrorLog logs/mysite.example.com-error_log
    CustomLog logs/mysite.example.com-access_log common

    <Location />
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms EXAMPLE.COM
        Krb5KeyTab /etc/httpd/web01.example.com-http.keytab
        KrbServiceName HTTP/web01.example.com
        KrbVerifyKDC off
        Require valid-user
   </Location>
</VirtualHost>

 

Step 8. Restart Apache

Restart Apache to apply new configuration file.

[root@web01 ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@web01 ~]#

 

Step 9. Update DNS

Your new website should now be working. The last thing that needs to be done is configure a DNS pointer record to point to your new web server.

I will leave you to do this yourself, however if you are using FreeIPA as your kerberos realm as well as your DNS infrastructure, you can do the following on one of your directory servers.

[root@ds01 ~]# ipa dnsrecord-add example.com mysite --cname-rec web01.example.com.
Record name: mysite
CNAME record: web01.example.com.
[root@ds01 ~]#

 

Step 10. Test your setup is working

It is important of course, to verify that what we have set up above is actually working.

From your authenticated kerberised workstation, login as your test user and browse to your new site. http://mysite.example.com

You should now see your new website. Please be aware, that if you are receiving a username and password dialog box, that the kerberised login is not completing successfuly. You will need to go back and verify your details.

Just to be extra sure, on your web server, watch the logs as you make your requests from your workstation.

You should see entries along the lines as follows.

[root@web01 ~]# tail -f /var/log/httpd/*
==> /var/log/httpd/mysite.example.com-access_log <==
10.0.1.104 - - [24/Dec/2012:00:03:40 +0000] "GET / HTTP/1.1" 401 486
10.0.1.104 - testuser@EXAMPLE.COM [24/Dec/2012:00:03:40 +0000] "GET / HTTP/1.1" 304 -

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>