Guide To Setup Kerberos Single Sign-On (SSO)

Guide To Setup Kerberos Single Sign-On (SSO)

Overview

    The Kerberos protocol is an authentication protocol for client/server applications. For authentication purposes, tickets are given to the clients from the Kerberos Key Distribution Center (KDC). The Kerberos ticket is presented to the servers after the connection has been established. Kerberos authentication tickets represent the client’s network credentials.

    Windows Challenge/Response(NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

    Windows authentication uses either Kerberos authentication protocol or NTLM authentication protocol, depending on the client and server configurations.

    NTLM Authentication Protocol:

      kerberos SSO
    • The NEGOTIATE_MESSAGE defines an NTLM Negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.
    • The CHALLENGE_MESSAGE defines an NTLM challenge message that is sent from the server to the client and it is used by the server to challenge the client to prove its identity.
    • The AUTHENTICATE_MESSAGE defines an NTLM authenticate message that is sent from the client to the server after the CHALLENGE_MESSAGE is processed by the client.

    KERBEROS AUTHENTICATION PROTOCOL:

    kerberos SSO
    • Message A: Client/TGS Session Key encrypted using the secret key of the client/user.
    • Message B: Ticket-Granting-Ticket encrypted using the secret key of the TGS.
    • Message C: Composed of the TGT from message B and the ID of the requested service.
    • Message D: Authenticator encrypted using the Client/TGS Session Key.
    • Message E: client-to-server ticket encrypted using the service's secret key.
    • Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.
    • Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.
    • Message H: the timestamp found in the client's Authenticator encrypted using the Client/Server Session Key.

Steps To Setup Kerberos On UBUNTU/RHEL (CentOS)

    Step 1: Install Kerberos Client Libraries On The Web Server

    For UBUNTU:
    • Use the following command on your terminal to install the Kerberos client libraries.
    • sudo apt-get install krb5-user
    For RHEL/CentOS:
    • Use the following command on your terminal to install the Kerberos client libraries.
    • yum install krb5-workstation krb5-libs krb5-auth-dialog

    Step 2: Configure the Active Directory domain in the Kerberos Configuration file

    The following steps are used to configure the Active Directory Domains in the Kerberos configuration file:
    • Open and edit the /etc/krb5.conf file.
    • Add the following configuration snippet to the krb5.conf file.
      • EXAMPLE.ORG= { kdc = <AD DOMAIN CONTROLLER IP/DNS> :88 }

        NOTE: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address. Ensure EXAMPLE.ORG should be in upper case.

        - Replace the EXAMPLE.ORG with the Active Directory domain name.

        - And ensure that the port 88 on the AD Domain Controller is accessible from this server.

    • Save the file.

    Step 3: Install the auth_kerb module for Apache

    For UBUNTU:
    • Use the following command to install auth_kerb module for Apache.
    • sudo apt-get install libapache2-mod-auth-kerb
    • Once the auth_kerb module is installed, it needs to be enabled through the following command.
    • a2enmod auth_kerb
    • After enabling, Restart Apache to take effect.

    For RHEL/CentOS:
    • Use the following command to install auth_kerb module for Apache.
    • yum install mod_auth_kerb
    • Restart Apache to take effect.

    Step 4: Create Keytab file on the AD Domain Controller

    • On the AD Domain Controller, execute the following command to create the Keytab file.
    • ktpass -princ HTTP/<Server Host Name>@EXAMPLE.ORG -pass PASSWORD
      -mapuser <svc@EXAMPLE.ORG> -Ptype KRB5_NT_PRINCIPAL -out "<PATH>\spn.keytab"

      NOTE: Ensure EXAMPLE.ORG should be in uppercase.

      The following are the components of the command.

      Server Host Name: It is the host name of the site hosted on the Server.
      Server Host Name: It is the host name of the site hosted on the Server.
      EXAMPLE.ORG: It is the Active Directory Domain Name.
      PASSWORD: It is the password of the service account used above.
      svc@EXAMPLE.ORG: It is a service account in Active Directory.
      Path: Path to a local location which will store the keytab file.
    NOTE: The above command creates a keytab file. It needs to be placed on the server. The user running Apache should have full access to this file.The user should have permission to the keytab file.
  • The Service Account has a few prerequisites:
    • The account password should have a password set to Not Expired.
    • The account should be trusted for delegation.
  • Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.

Step 5: Configure Kerberos SSO for the site directory

    For UBUNTU:

      -Edit the /etc/apache2/sites-enabled/000-default.conf file.

    • Add the following section in the directory of the site.
      • <Directory "/placeholder"> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbServiceName HTTP Krb5Keytab <PATH TO KEYTAB> KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory>
    For RHEL/CentOS:

      -Edit the auth_kerb.conf configuration file in the /etc/httpd/conf.d/ folder.

    • Add the following section in the directory of the site.
      • LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so <Directory "/placeholder"> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbServiceName HTTP Krb5Keytab <PATH TO KEYTAB> KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory>

      NOTE: Ensure EXAMPLE.ORG should be in upper case.

      The following are the components of the above configuration:

        EXAMPLE.ORG: This is the Active Directory domain as configured in krb5.conf.
        PATH TO KEYTAB: Accessible path to the keytab on this server.
    • After this configuration, Apache needs to be restarted for the changes to take effect.

Troubleshooting

These are the most common error messages:
    gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).
  • Wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user.
  • To change file system permissions use $ chmod 400 filename
  • gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).
  • Missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab.
  • Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
    gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
  • The website is not in zone "Local Intranet“ in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos.
  • gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).
  • Wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information.
  • Problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again.

Steps To Setup Kerberos For Windows Authentication

  • Open Command prompt in Administrator mode.
  • Execute the following command on it to add Service Principal Name (SPN) for the account
    • setspn -a HTTP/## Server FQDN ## ## Domain Service Account ## Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin
      Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.
  • Open Active Directory Users and Computers.
  • Search for the service account which was used to create the Service Principal Name (SPN).
  • Navigate to the Delegation tab.
  • Select Trust this user for delegation to any service (Kerberos only).
    • kerberos windows-1
  • Click Apply.
  • Open up IIS Manager.
  • Select the site which you want to apply Windows Authentication to.
  • Select the Application Pool for that website. Right click on it and select Advanced Settings.
    • kerberos windows-2
  • Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.
    • kerberos windows-3
  • Navigate to the Authentication section for the website.
    • kerberos windows-4
  • Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously)
    • kerberos windows-5
  • Go to the Configuration Editor.
    • kerberos windows-6
    • Search for: system.webServer/security/authentication/windowsAuthentication
      kerberos windows-7
  • Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.
  • Click Apply.
  • Restart IIS server.

Steps To Setup NTLM SSO with Apache on Windows

  • Click here to download the apache module.
  • Copy the mod_authnz_sspi.so from Apache24 > modules folder and place it in the modules
  • Copy the sspipkgs.exe file from Apache24 -> bin folder and place it in the bin folder of your Xampp apache folder (.....\xampp\apache\bin) on your webserver.
  • Open httpd.conf (.....\xampp\apache\conf) and place the below line of code in the LoadModule section.
    LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
  • Make sure that the following modules are uncommented:
    LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_core_module modules/mod_authz_core.so Also, make sure to enable ldap extension.
  • Open the httpd.conf file from (.....\xampp\apache\conf\httpd.conf).
    Go to and paste the below lines after #Require all granted. <Directory "...../xampp/htdocs"> ……… ……… #Require all granted AllowOverride None Options None AuthType SSPI SSPIAuth On SSPIAuthoritative On Require valid-user </Directory>
  • Restart your Apache Server.
  • To test the configuration create a test.php file in your WordPress root directory.
    (.....\xampp\htdocs\wordpress\test.php).
    Enter the below line:<?php var_dump($_SERVER); ?>
  • Save the file and run in the web browser.
  • Search for "REMOTE_USER" and it should contain the currently logged in username.

Configure browsers settings for Kerberos Authentication

The client-side configuration enables the respective browser to use SPNEGO to negotiate Kerberos authentication for the browser. You must make sure that the browser on an end user's system is configured to support Kerberos authentication.

1. Internet Explorer
2. Google Chrome
3. Mozilla Firefox


Internet Explorer


  • Open Internet Explorer browser and click on Tools > Internet Options > Security > Local intranet > Sites > Advanced.

    kerberos windows-8 kerberos windows-8
  • In Add this website to the zone field, enter the Base URL for the WordPress site, then click Add.
  • kerberos windows-8
  • Click Tools > Internet Options > Security > Local intranet > Custom Level.
  • Scroll down to the User Authentication options and select Automatic logon only in Intranet zone.
  • Click OK and then restart your browser.

Google Chrome


By default the Internet Explorer settings will be applicable, if you configure Internet Explorer, then no additional settings are required for Google Chrome.

Mozilla Firefox


  • Open Mozilla firefox browser and enter about:config in the address bar.
  • Search for network.negotiate-auth.trusted-uris Preference Name, and click on Edit. enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Specify multiple domains and hostnames separated with a comma.
  • kerberos windows-8
  • Search for network.automatic-ntlm-auth.trusted-uris Preference Name, and click on Edit. enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Specify multiple domains and hostnames separated with a comma.
  • kerberos windows-8
  • Click OK and then restart your browser.
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com