Wednesday, May 19, 2021

SSO with Apache and Kerberos authentication

I'm sharing another use case, "Kerberos + HEADER-based application SSO" implementation experience with Apache and Keberos module. There are times you end up working with a custom authentication & Single Sign-On solution to an application despite modern authentication mechanisms.

One such situation is providing seamless access to an application when accessing from an Active Directory domain-joined machine. It technically means leveraging the Kerberos token from the device and authenticates the user into the HEADER-based application.

Utilizing Apache web server, Kerberos module, and apache rules, we can provide a Single Sign-On experience to the users accessing the application from an AD domain-joined machine.

I am assuming that the Apache web server is installed, enabled mod_auth_kerb module, and configure the application to allow the REMOTE_USER header to login.

The first thing is to generate a keytab file for your Apache server using the ktpass command.

Example command:

ktpass -princ HTTP/<<HOSTNAME>>@<<DOMAIN>> -mapuser apache -crypto All -DesOnly -pass <<password>> -ptype KRB5_NT_PRINCIPAL -out apache.keytab

I had configured Apache 2.4.6 in RHEL 7.9 with the Kerberos module with the below VirtualHost to use auth_kerb_module and rules to read and set Request HEADER application in the "httpd" conf file.

<VirtualHost *.80 *.443>

ServerName <<ServerName>>

<Location />

AuthType Kerberos

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbServiceName HTTP/<<HOSTNAME>>@<<DOMAIN>>

KrbAuthRealms <<DOMAIN>>

Krb5KeyTab /etc/apache.keytab

KrbLocalUserMapping On

require valid-user

RewriteEngine On

RewriteCond %{LA-U:REMOTE_USER} (.+)

RewriteRule . - [E=RU:%1]

Header add X-Remote-User "%{RU}e" env=RU

RequestHeader set REMOTE_USER %{RU}e


SSLProxyEngine On

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

ProxyRequests Off

ProxyPreserveHost On

ProxyPass / https://<<Application_HOST_NAME>>:<PORT>/

ProxyPassReverse / https://<<Application_HOST_NAME>>:<PORT>/


Bounce the apache server and try to access the application from the AD joined machine.


Siva Pokuri.

Friday, February 5, 2021

How To Correct Microsoft Azure AD IdP SAML Metadata for Qlik Sense printing module SAML integration

 When uploading Azure AD SAML metadata to a service provider you might get below error message -  


SAML xml metadata validation failed with the following error: This is an invalid xsi:type ''” SAML xml metadata validation failed with the following error: This is an invalid xsi:type ''.


Quick solution is that to remove <RoleDescriptor section from the metadata file and try to upload the metadata again.


Siva Pokuri. 

Tuesday, January 19, 2021

Azure AD Powershell command to query group with DirSyncEnabled attribute

There are times you want to know synched or cloud only groups.

Command to search synched groups - 

Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -eq $TRUE}

Command to search cloud only groups - 

Get-AzureADGroup -All $true | where-Object {$_.DirSyncEnabled -eq $NULL}

Funny enough that DirSyncEnabled attribute contains "TRUE" (if it's synched group) "NULL" (if cloud only)


Siva Pokuri.