Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been configuring the SSO with mod auth kerb. The objective is to access the website via IE without any prompt for user/password.
I setup as followings on Apache 2.2.15, CentOS 6.4, mod_auth_kerb.
1. I join CentOS to AD 2008R2
2. I install mod_auth_kerb
3. Create keytab on Windows and copy to CentOS
4. Here is my config
Options MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthName "Restricted Access"
AuthType Kerberos
Krb5Keytab /etc/centos-hh.keytab
KrbAuthoritative On
KrbAuthRealms MYDOMAIN
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC Off
#KrbDelegateBasic Off
KrbServiceName Any
KrbLocalUserMapping on
require valid-user
Result: I can access website via IE, FireFox, Chrome but I'm always prompted to enter user/password. if I enter correctly, I will see the webpage.--> httpd can authenticate the domain user and password.
But my goald is not archived, because IE always asks for user/password. I added my site to IE local intranet and select "automatic logon only in intranet". But there is no effect.
if I modify KrbVerifyKDC Off to ON. I will get error failed to verify krb5 credentials: Server not found in Kerberos database and cannot authenticate anymore.
Might I be missing some configurations or settings? Please advise me.
I'm look forward to hearing from you soon.
Regards,
Tran Phat
Last edited by tranphat; 06-27-2014 at 04:36 AM.
Reason: adding information
Kerberos isn't like SSH, the problem your running into is for kerberos to work with SSO, I think you're going to need a KDC (key distribution center) that interacts with the realm (the users and services that are directed to that particular KDC).
Using Kerberos, the sequence is, a client machine wants to access your apache web server, so it requests a ticket for the service from the KDC. The service and the client are both issues tickets, the client sends it's ticket to the service and the service decrytps it based on the shared secret (session ID) that is in both tickets.
Without a KDC, there is no ticket exchange.
I implement the mod_auth_kerb on CentOS for httpd. And I just use Windows AD for mod_auth_kerb to connect to and I don't think that is Windows problem.
if I modify KrbVerifyKDC Off to ON. I will get error failed to verify krb5 credentials: Server not found in Kerberos database and cannot authenticate anymore.
That suggests that the KDC isn't running or doesn't know the user or service that is trying to access it. Is there anything else on your network that is getting a ticket from the KDC? What other services are Kerberos restricted?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.