Guide To Setup Kerberos Single Sign-On (SSO)

Overview

    The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.

    Windows Challenge/Response(NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

    Windows authentication uses either Kerberos authentication or NTLM authentication, depending upon the client and server configurations.

NTLM Authentication:

    NTLM
  • The NEGOTIATE_MESSAGE defines an NTLM Negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.
  • The CHALLENGE_MESSAGE defines an NTLM challenge message that is sent from the server to the client and it is used by the server to challenge the client to prove its identity.
  • The AUTHENTICATE_MESSAGE defines an NTLM authenticate message that is sent from the client to the server after the CHALLENGE_MESSAGE is processed by the client.

KERBEROS PROTOCOL:

kerberos
  • Message A: Client/TGS Session Key encrypted using the secret key of the client/user.
  • Message B: Ticket-Granting-Ticket encrypted using the secret key of the TGS.
  • Message C: Composed of the TGT from message B and the ID of the requested service.
  • Message D: Authenticator encrypted using the Client/TGS Session Key.
  • Message E: client-to-server ticket encrypted using the service's secret key.
  • Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.
  • Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.
  • Message H: the timestamp found in the client's Authenticator encrypted using the Client/Server Session Key.

Steps To Setup Kerberos On UBUNTU/RHEL(CentOS)

    Step1: Install Kerberos Client Libraries On The Web Server

    For UBUNTU:
    • Use the following command on your terminal to install the Kerberos client libraries.
    • sudo apt-get install krb5-user

    For RHEL/CentOS:
    • Use the following command on your terminal to install the Kerberos client libraries.
    • yum install krb5-workstation krb5-libs krb5-auth-dialog

    Step2: Configure the Active Directory domain in the Kerberos Configuration file

    The following steps are used to configure the Active Directory Domains in the Kerberos configuration file:

    • Open and edit the /etc/krb5.conf file.
    • Add the following configuration snippet to the krb5.conf file.
    • EXAMPLE.ORG= { kdc = <AD DOMAIN CONTROLLER IP/DNS> :88 }

      NOTE: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address.Ensure EXAMPLE.ORG should be in upper case.


      - Replace the EXAMPLE.ORG with the Active Directory domain name.

      - And ensure that the port 88 on the AD Domain Controller is accessible from this server.

    • Save the file.

    Step3: Install the auth_kerb module for Apache

    For UBUNTU:
    • Use the following command to install auth_kerb module for Apache.
    • sudo apt-get install libapache2-mod-auth-kerb
    • Once the auth_kerb module is installed, it needs to be enabled through the following command.
    • a2enmod auth_kerb
    • After enabling, Restart Apache to take effect.

    For RHEL/CentOS:
    • Use the following command to install auth_kerb module for Apache.
    • yum install mod_auth_kerb
    • Restart Apache to take effect.

    Step 4: Create Keytab file on the AD Domain Controller

    • On the AD Domain Controller, execute the following command to create the Keytab file.
    • ktpass -princ HTTP/<Server Host Name>@EXAMPLE.ORG -pass PASSWORD
      -mapuser <svc@EXAMPLE.ORG> -Ptype KRB5_NT_PRINCIPAL -out "<PATH>\spn.keytab"

      NOTE: Ensure EXAMPLE.ORG should be in uppercase.


      The following are the components of the command.

      Server Host Name: It is the host name of the site hosted on the Server.
      Server Host Name: It is the host name of the site hosted on the Server.
      EXAMPLE.ORG: It is the Active Directory Domain Name.
      PASSWORD: It is the password of the service account used above.
      svc@EXAMPLE.ORG: It is a service account in Active Directory.
      Path: Path to a local location which will store the keytab file.

    NOTE: The above command creates a keytab file. It needs to be placed on the server. The user running Apache should have full access to this file.The user should have permission to the keytab file.

  • The Service Account has a few prerequisites:
    • The account password should have a password set to Not Expired.
    • The account should be trusted for delegation.

  • Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.

Step 5: Configure Kerberos SSO for the site directory


    For UBUNTU:

      -Edit the /etc/apache2/sites-enabled/000-default.conf file.


    • Add the following section in the directory of the site.

      • <Directory "/placeholder">
        AuthType Kerberos
        KrbAuthRealms EXAMPLE.ORG
        KrbServiceName HTTP
        Krb5Keytab <PATH TO KEYTAB>
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        require valid-user
        </Directory>

    For RHEL/CentOS:

      -Edit the auth_kerb.conf configuration file in the /etc/httpd/conf.d/ folder.


    • Add the following section in the directory of the site.

      • LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
        <Directory "/placeholder">
        AuthType Kerberos
        KrbAuthRealms EXAMPLE.ORG
        KrbServiceName HTTP
        Krb5Keytab <PATH TO KEYTAB>
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        require valid-user
        </Directory>

      NOTE: Ensure EXAMPLE.ORG should be in upper case.


      The following are the components of the above configuration:

        EXAMPLE.ORG: This is the Active Directory domain as configured in krb5.conf.
        PATH TO KEYTAB: Accessible path to the keytab on this server.
      • After this configuration, Apache needs to be restarted for the changes to take effect.


Troubleshooting

These are the most common error messages:

    gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).
  • wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user.
  • To change file system permissions use $ chmod 400 filename

  • gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).
  • missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab.

  • Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
    gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
  • the website is not in zone „Local Intranet“ in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos.

  • gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).
  • wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information.
  • OR problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again.

Steps To Setup Kerberos For Windows Authentication

    Step 1: Open Command prompt in Administrator mode.

    Step 2: Execute the following command on it to add Service Principal Name(SPN) for the account:

      setspn -a HTTP/## Server FQDN## ##Domain Service Account##
      Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin

      Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.

    Step3: Open Active Directory Users and Computers.

    Step4: Search for the service account which was used to create the Service Principal Name (SPN).

    Step5: Navigate to the Delegation tab.

    Step6: Select Trust this user for delegation to any service (Kerberos only).

      kerberos windows-1
    Step7: Click Apply.

    Step8: Open up IIS Manager.

    Step9: Select the site which you want to apply Windows Authentication to.

    Step10: Select the Application Pool for that website. Right click on it and select Advanced Settings.

      kerberos windows-2
    Step11: Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.

      kerberos windows-3
    Step12: Navigate to the Authentication section for the website.

      kerberos windows-4
    Step13: Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously).

      kerberos windows-5
    Step14: Go to the Configuration Editor

      kerberos windows-6
    • Search for: system.webServer/security/authentication/windowsAuthentication

      kerberos windows-7
    Step15: Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.

    Step16: Click Apply

    Step17: Restart IIS server

Client Site setting for Windows Authentication (Below Steps will works for IE and Chrome)

    Step1: Open up Internet Explorer and open Internet Options.

    Step2: Add the base URL of IIS Server to the list of sites in Local Intranet.

    Step3: Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.

    kerberos windows-8