Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2

Similar documents
Active Directory and Linux Identity Management

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

INUVIKA TECHNICAL GUIDE

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Single Sign-On for Kerberized Linux and UNIX Applications

Centrify Identity and Access Management for Cloudera

Using Kerberos tickets for true Single Sign On

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Overview of Microsoft Office 365 Development

Hyper-V Server 2008 Setup and Configuration Tool Guide

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Kerberos and Single Sign-On with HTTP

Active Directory Provider User s Guide

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

How to Secure a Groove Manager Web Site

File and Printer Sharing with Microsoft Windows

Deploying the Workspace Application for Microsoft SharePoint Online

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Technical Brief for Windows Home Server Remote Access

Installation and configuration guide

AD RMS Step-by-Step Guide

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

WINDOWS 7 & HOMEGROUP

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

EventTracker: Support to Non English Systems

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

CA Performance Center

Installation and configuration guide

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Active Directory 2008 Implementation Guide Version 6.3

Connector for Microsoft Dynamics Configuration Guide for Microsoft Dynamics SL

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Parallels Plesk Panel

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Active Directory 2008 Implementation. Version 6.410

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

CRM to Exchange Synchronization

Lab Answer Key for Module 1: Installing and Configuring Windows Server Table of Contents Lab 1: Configuring Windows Server

Kerberos and Single Sign On with HTTP

Microsoft Lync Server 2010

Office Language Interface Pack for Farsi (Persian) Content

How To Use Directcontrol With Netapp Filers And Directcontrol Together

Kerberos and Windows SSO Guide Jahia EE v6.1

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

Windows Server Update Services 3.0 SP2 Step By Step Guide

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Configure the Application Server User Account on the Domain Server

Importing data from Linux LDAP server to HA3969U

Implementing and Supporting Windows Intune

HRSWEB ActiveDirectory How-To

DriveLock Quick Start Guide

Active Directory and DirectControl

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Bitrix Site Manager. Quick Guide To Using The AD/LDAP Module

Integrate Websense Web Security Gateway (WSG)

Copyright Winfrasoft Corporation. All rights reserved.

Chapter 3 Authenticating Users

Cloudera Backup and Disaster Recovery

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Single Sign-on (SSO) technologies for the Domino Web Server

Hyper-V Server 2008 Getting Started Guide

Installing Microsoft Exchange Integration for LifeSize Control

Windows Azure Pack Installation and Initial Configuration

Management Reporter Integration Guide for Microsoft Dynamics GP

White Paper. Software version: 5.0

Single Sign-On Using SPNEGO

Management Reporter Integration Guide for Microsoft Dynamics AX

Using Active Directory as your Solaris Authentication Source

Windows Security and Directory Services for UNIX using Centrify DirectControl

Deploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by- Step Guide

Introduction to DirectAccess in Windows Server 2012

Active Directory Integration. Documentation. v1.02. making your facilities work for you!

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Using Apple Remote Desktop to Deploy Centrify DirectControl

Integration Guide. SafeNet Authentication Service. Oracle Secure Desktop Using SAS RADIUS OTP Authentication

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Centralized Mac Home Directories with ExtremeZ-IP

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Smart Card Authentication Client. Administrator's Guide

Shared File Room Field Guide

Implementing and Supporting Windows Intune

SUSE Linux Enterprise Server in an Active Directory Domain

Configuring IBM Cognos Controller 8 to use Single Sign- On

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Lab 00: Configuring the Microsoft Lync Ignite Environment Cloud Hosted Version

FreeIPA - Open Source Identity Management in Linux

SSSD Active Directory Improvements

Transcription:

Linux/Windows Security Interop: Apache with mod_auth_kerb and Windows Server 2003 R2 Published by the Open Source Software Lab at Microsoft. January 2008. Special thanks to Chris Travers, Contributing Author to the Open Source Software Lab. Most current version will be maintained at.. Abstract: The Apache authentication module mod_auth_kerb allows Apache to authenticate users against a Kerberos KDC including one from ActiveDirectory. Kerberos itself can be fairly complex to set up. This guide will attempt to show the specific steps required to make this possible as well as discuss security limitations specific to the interoperability matters. This guide assumes a basic understanding of Kerberos V and that the Active Directory domain controller is properly configured prior to starting this process. Page i

Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e- mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. 2007 Microsoft Corporation. This work is licensed under the Microsoft Public License. The Microsoft Public License is available here. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Microsoft, Windows, Windows XP, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. Page ii

1 Introduction The Apache authentication module mod_auth_kerb allows Apache to authenticate users against a Kerberos KDC including one from ActiveDirectory. Kerberos itself can be fairly complex to set up. This guide will attempt to show the specific steps required to make this possible as well as discuss security limitations specific to the interoperability matters. This guide assumes a basic understanding of Kerberos V and that the Active Directory domain controller is properly configured prior to starting this process. The test environment consisted of a Fedora Core 5 Linux system running Apache 2.2.x and mod_auth_kerb authenticating against a Windows Server 2003 R2 domain controller. The basic steps should form an outline for working with other distributions but package names and other minor details may require slight adjustment. In addition to being a fairly useful topic in itself, this paper also provides a basis for what exactly is involved in getting Linux server software, which supports Kerberos, to work Active Directory if no local authentication or identity management is required. I found that the following packages were required on the Linux system (names from Fedora Core 5, other distros may change names slightly): krb5-libs-1.4.3-5.3 krb5-workstation-1.4.3-5.3 samba-client-3.0.23c-1.fc5 samba-common-3.0.23c-1.fc5 openldap-clients-2.3.19-4 openldap-2.3.19-4 Also, note that this has not been tested with any Kerberos implementations on the Linux side other than the MIT version. On the Windows side, I named my domain krbtest.local and the domain controller kdc1. I set up Active Directory and DNS, and I installed the Windows support tools from the CDROM (from D:\Support\Tools\subtools.msi where D: is the CDROM drive. While I also installed SUA 1, I am not using any of the features of that component and therefore that step is optional. The support tools, while not used in this paper, provided valuable information about how Active Directory works, and hence may be helpful in troubleshooting issues. Although not strictly required, I would recommend installing them for such an environment. 1.1 Joining the Linux Server to the Domain using samba-client Joining an Active Directory domain is done in three stages. First a Kerberos TGT 2 is requested for the joining user. Secondly, the joining user logs into the LDAP 3 directory using the TGT and creates the LDAP directory entry. Third, the "computer account" is activated (and the service 1 Subsystem for Unix-based Applications 2 Ticket Granting Ticket 3 Lightweight Directory Access Protocol Page 3

principle added to the Kerberos database). Problems can occur at any stage and so it is often important to recognize that some degree of trial and error may be required to make this work. 1.1.1 Configuration Files Required to Join the Domain First, I had to configure the realm in the /etc/krb5.conf. The realm was added and properly configured. My domain was named krbtest.local, so the relevant realm name was KRBTEST.LOCAL. The following lines were added to the [realms] section: KRBTEST.LOCAL = { kdc = kdc1.krbtest.local:88 default_domain = krbtest.local } Next, I added the following lines to the [global] section of the /etc/samba/smb.conf: netbios name = chrislt realm = KRBTEST.LOCAL security = ADS encrypt passwords = yes password server = kdc1.krbtest.local # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH workgroup = KRBTEST Note that it is possible, though more complex, to join the domain without resorting to Samba tools. However, I have generally found that this represents the easiest way of automating the setup once the configuration issues are taken care of. 1.1.2 A note on SNTP, NTP, and Clock Skew Kerberos requires that all clocks involved are within a certain configurable range of each other. The default is 5 minutes. If the clocks are off greater than the configured range then users will be unable to authenticate. Therefore computers cannot join the domain. When a Windows host joins the domain, it begins to synchronize its clock with the domain controller using SNTP 4. The SNTP client in a Windows domain controller cannot be also configured to use an external source for time. It is therefore a common recommendation that a separate NTP client be installed so that all clocks can be authoritative. Failure to do so may cause a great deal of frustration in troubleshooting the domain joining process as it is possible for the clocks accumulate skew. 1.1.3 Testing the Kerberos Setup In general, I have found that the standard MIT Kerberos libraries provide better error reporting than either Windows or Samba. Therefore, it is useful to try to authenticate first using kinit. The syntax is: 4 Simple Network Time Protocol Page 4

kinit username@realm For example, to request a Kerberos TGT for the Administrator account for the domain above, use: kinit Administrator@KRBTEST.LOCAL You should be prompted for the password and once you enter it, you should get no further errors. You can verify that you have received the TGT by using the klist command. 1.1.4 Joining the Domain Once you have verified that Kerberos is working, you can join the domain with the following command on the Linux system: net join -U Administrator The following diagnostics may be helpful in troubleshooting errors: 1. Can you get a TGT using kinit? 2. Can the host command pull the proper IP for the server? 1.2 Creating the Keytab I used the following command to generate a keytab from ActiveDirectory: bash# net ads keytab create -U Administrator This step gave me a lot of trouble. One of the issues is that the default_keytab_name line in the krb5.conf must be set up to use the following syntax: FILE:/path/to/file Once my krb5.conf contained the following line, I had no further issues: default_keytab_name = FILE:/etc/krb5.keytab 1.3 Configuring Apache Fedora Core includes all files in /etc/httpd/conf.d/ 5 in its main configuration. When mod_auth_kerb is installed, it adds a file auth_kerb.conf to that directory. All that is needed is to adjust the directives accordingly and uncomment them. My file, which requires authentication for the entire installation includes the following directives: LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms KRBTEST.LOCAL Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location> 5 The location of this configuration file will vary with different Linux and Unix distributions Page 5

Other distributions may need to add similar provisions in the httpd.conf. 1.4 Configuring Firefox and Internet Explorer Firefox 1.5 and higher support Kerberos authentication out of the box. Internet Explorer 6.0 also supports Kerberos authentication. Though in both cases, it may be initially disabled. In Internet Explorer, you must allow the site to log in automatically, and you must also enable Windows Integrated Authentication. If either of these fail, the authentication request will not be successful. To enable the support in Internet Explorer, select the intranet zone, click custom level, and set the User Authentication settings as seen below. Then click OK. Next, click on the Advanced tab. Ensure that the Enable Windows Integrated Authentication checkbox is checked as seen below. Click OK. If you had to enable this option, you will need to restart your computer. Page 6

To configure Firefox, type "about: config" in the address bar. Then type "network.neg" in the filter. Double click on the network.negotiate-auth.trusted-uris entry. enter the domain name. Click OK. The screen should look similar to that below: Page 7

1.5 Security Considerations In Windows, every service principle account authenticates against the computer account in Active Directory. In the event where the keytab is compromised, the machine account should at least be disabled, if not deleted. It is also important to guard the keytabs very carefully because compromising one service's keytab might allow an attacker to spoof other services from the same server. 1.6 Further Reading Microsoft has also published a knowledge base article outlining a different approach at: http://support.microsoft.com/kb/555092 The above article describes a completely different approach which would likely be useful in entirely different environments. Unlike the approach documented here, where the server is a full member server, and only Kerberos tickets are exchanged, the article details how to use the same software to accomplish "single password" capabilities. That approach may be useful when the target server is on the internet, perhaps where Kerberos negotiation authentication is not practical. However, in these cases it is extremely important that this be paired with SSL because otherwise domain passwords would be passed across the network in plain text. 1.7 Final Thoughts Once Kerberos authentication is set up it is secure, reliable, and quite powerful. Unfortunately it can also be somewhat complex initially. This paper provides a basis for understanding how to set up Apache, and perhaps other services, to use Kerberos for authentication against an Active Directory domain controller. Such techniques allow Windows servers to play greater roles in Page 8

identity management and highlight how Windows authentication can still be used when the target software is running on a Linux platform. 1.8 About the Author Chris Travers is the owner of Metatron Technology Consulting, a business dedicated to helping people and businesses leverage open source software. He has six years of experience with Kerberos and Windows Server technologies. Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information