Setup NTLM/Kerberos SSO Single Sign-On for UBUNTU/RHEL/CentOS

Overview

The Kerberos SSO extension makes it easier to obtain a Kerberos ticket-granting ticket (TGT) from your organization's Active Directory or other identity provider domain, allowing users to authenticate to resources such as websites, applications, and file servers.

Steps to Integrate Kerberos SSO LDAP for Single Sign-On (SSO)

Step 1: Install Kerberos Client Libraries on the Web Server

For UBUNTU:

• Use the following command on your terminal to install the Kerberos client libraries.
sudo apt-get install krb5-user

For RHEL/CentOS:

• Use the following command on your terminal to install the Kerberos client libraries.
yum install krb5-workstation krb5-libs krb5-auth-dialog

Step 2: Configure the Active Directory domain in the Kerberos Configuration file

The following steps are used to configure the Active Directory Domains in the Kerberos configuration file:

• Open and edit the /etc/krb5.conf file.
• Add the following configuration snippet to the krb5.conf file.
EXAMPLE.ORG= { kdc = <AD DOMAIN CONTROLLER IP/DNS> :88 }

NOTE: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address. Ensure EXAMPLE.ORG should be in upper case.

Replace the EXAMPLE.ORG with the Active Directory domain name.

And ensure that the port 88 on the AD Domain Controller is accessible from this server.



• Save the file.

Step 3: Install the auth_kerb module for Apache

For UBUNTU:

• Use the following command to install auth_kerb module for Apache.
sudo apt-get install libapache2-mod-auth-kerb
• Once the auth_kerb module is installed, it needs to be enabled through the following command.
a2enmod auth_kerb
• After enabling, Restart Apache to take effect.

For RHEL/CentOS:

• Use the following command to install auth_kerb module for Apache.
yum install mod_auth_kerb
• Restart Apache to take effect.

Step 4: Create Keytab file on the AD Domain Controller

• On the AD Domain Controller, execute the following command to create the Keytab file.
ktpass -princ HTTP/<Server Host Name>@EXAMPLE.ORG -pass PASSWORD -mapuser <svc@EXAMPLE.ORG> -Ptype KRB5_NT_PRINCIPAL -out "<PATH>\spn.keytab"

NOTE: Ensure EXAMPLE.ORG should be in uppercase.

Server Host Name:	It is the host name of the site hosted on the Server.
Server Host Name:	It is the host name of the site hosted on the Server.
EXAMPLE.ORG:	It is the Active Directory Domain Name.
PASSWORD:	It is the password of the service account used above.
svc@EXAMPLE.ORG:	It is a service account in Active Directory.
Path:	Path to a local location which will store the keytab file.

NOTE: The above command creates a keytab file. It needs to be placed on the server. The user running Apache should have full access to this file.The user should have permission to the keytab file.



• The Service Account has a few prerequisites:
• The account password should have a password set to Not Expired.
• The account should be trusted for delegation.
• Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.

Step 5: Configure Kerberos SSO for the site directory

For UBUNTU:

• Edit the /etc/apache2/sites-enabled/000-default.conf file.
• Add the following section in the directory of the site.
<Directory "/placeholder"> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbServiceName HTTP Krb5Keytab <PATH TO KEYTAB> KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory>

For RHEL/CentOS:

• Edit the auth_kerb.conf configuration file in the /etc/httpd/conf.d/ folder.
• Add the following section in the directory of the site.
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so <Directory "/placeholder"> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbServiceName HTTP Krb5Keytab <PATH TO KEYTAB> KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory>

NOTE: Ensure EXAMPLE.ORG should be in upper case.

The following are the components of the above configuration:

EXAMPLE.ORG:	This is the Active Directory domain as configured in krb5.conf.
PATH TO KEYTAB:	Accessible path to the keytab on this server.

• After this configuration, Apache needs to be restarted for the changes to take effect.

Troubleshooting

These are the most common error messages:

gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).
• Wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user.
• To change file system permissions use $ chmod 400 filename.
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).
• Missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab.
Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
• The website is not in zone "Local Intranet“ in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos.
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).
• Wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information.
• Problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again.

Related Articles

• LDAP Authentication with Active Directory
• What is Kerberos?
• NTLM/Kerberos Authentication Mechanism
• How to configure NTLM?
• Guide to setup NTLM SSO with Apache on Windows
• Configure Apache Directory Studio with Joomla LDAP for Intranet
• Configure Active Directory on Windows Server
• Configure browsers settings for NTLM / Kerberos Authentication