Wednesday, May 19, 2021

SSO with Apache and Kerberos authentication

I'm sharing another use case, "Kerberos + HEADER-based application SSO" implementation experience with Apache and Keberos module. There are times you end up working with a custom authentication & Single Sign-On solution to an application despite modern authentication mechanisms.

One such situation is providing seamless access to an application when accessing from an Active Directory domain-joined machine. It technically means leveraging the Kerberos token from the device and authenticates the user into the HEADER-based application.

Utilizing Apache web server, Kerberos module, and apache rules, we can provide a Single Sign-On experience to the users accessing the application from an AD domain-joined machine.

I am assuming that the Apache web server is installed, enabled mod_auth_kerb module, and configure the application to allow the REMOTE_USER header to login.

The first thing is to generate a keytab file for your Apache server using the ktpass command.

Example command:

ktpass -princ HTTP/<<HOSTNAME>>@<<DOMAIN>> -mapuser apache -crypto All -DesOnly -pass <<password>> -ptype KRB5_NT_PRINCIPAL -out apache.keytab

I had configured Apache 2.4.6 in RHEL 7.9 with the Kerberos module with the below VirtualHost to use auth_kerb_module and rules to read and set Request HEADER application in the "httpd" conf file.

<VirtualHost *.80 *.443>

ServerName <<ServerName>>

<Location />

AuthType Kerberos

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbServiceName HTTP/<<HOSTNAME>>@<<DOMAIN>>

KrbAuthRealms <<DOMAIN>>

Krb5KeyTab /etc/apache.keytab

KrbLocalUserMapping On

require valid-user

RewriteEngine On

RewriteCond %{LA-U:REMOTE_USER} (.+)

RewriteRule . - [E=RU:%1]

Header add X-Remote-User "%{RU}e" env=RU

RequestHeader set REMOTE_USER %{RU}e


SSLProxyEngine On

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

ProxyRequests Off

ProxyPreserveHost On

ProxyPass / https://<<Application_HOST_NAME>>:<PORT>/

ProxyPassReverse / https://<<Application_HOST_NAME>>:<PORT>/


Bounce the apache server and try to access the application from the AD joined machine.


Siva Pokuri.

No comments:

Post a Comment