Steps To Setup Kerberos On UBUNTU/RHEL (CentOS)

Step 1: Install Kerberos Client Libraries On The Web Server

For UBUNTU:

• Use the following command on your terminal to install the Kerberos client libraries.
sudo apt-get install krb5-user
For RHEL/CentOS:

• Use the following command on your terminal to install the Kerberos client libraries.
yum install krb5-workstation krb5-libs krb5-auth-dialog

Step 2: Configure the Active Directory domain in the Kerberos Configuration file

The following steps are used to configure the Active Directory Domains in the Kerberos configuration file:

• Open and edit the /etc/krb5.conf file.
• Add the following configuration snippet to the krb5.conf file.
EXAMPLE.ORG= { kdc = <AD DOMAIN CONTROLLER IP/DNS> :88 }

NOTE: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address. Ensure EXAMPLE.ORG should be in upper case.

- Replace the EXAMPLE.ORG with the Active Directory domain name.

- And ensure that the port 88 on the AD Domain Controller is accessible from this server.

• Save the file.

Step 3: Install the auth_kerb module for Apache

For UBUNTU:
• Use the following command to install auth_kerb module for Apache.
sudo apt-get install libapache2-mod-auth-kerb
• Once the auth_kerb module is installed, it needs to be enabled through the following command.
a2enmod auth_kerb
• After enabling, Restart Apache to take effect.

For RHEL/CentOS:
• Use the following command to install auth_kerb module for Apache.
yum install mod_auth_kerb
• Restart Apache to take effect.

Step 4: Create Keytab file on the AD Domain Controller

• On the AD Domain Controller, execute the following command to create the Keytab file.
ktpass -princ HTTP/<Server Host Name>@EXAMPLE.ORG -pass PASSWORD
-mapuser <svc@EXAMPLE.ORG> -Ptype KRB5_NT_PRINCIPAL -out "<PATH>\spn.keytab"


NOTE: Ensure EXAMPLE.ORG should be in uppercase.

The following are the components of the command.

Server Host Name:	It is the host name of the site hosted on the Server.
Server Host Name:	It is the host name of the site hosted on the Server.
EXAMPLE.ORG:	It is the Active Directory Domain Name.
PASSWORD:	It is the password of the service account used above.
svc@EXAMPLE.ORG:	It is a service account in Active Directory.
Path:	Path to a local location which will store the keytab file.

NOTE: The above command creates a keytab file. It needs to be placed on the server. The user running Apache should have full access to this file.The user should have permission to the keytab file.

• The Service Account has a few prerequisites:
• The account password should have a password set to Not Expired.
• The account should be trusted for delegation.
• Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.

Step 5: Configure Kerberos SSO for the site directory

For UBUNTU:


-Edit the /etc/apache2/sites-enabled/000-default.conf file.

• Add the following section in the directory of the site.
<Directory "/placeholder"> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbServiceName HTTP Krb5Keytab <PATH TO KEYTAB> KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory>

For RHEL/CentOS:


-Edit the auth_kerb.conf configuration file in the /etc/httpd/conf.d/ folder.

• Add the following section in the directory of the site.
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so <Directory "/placeholder"> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbServiceName HTTP Krb5Keytab <PATH TO KEYTAB> KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user </Directory>

NOTE: Ensure EXAMPLE.ORG should be in upper case.

The following are the components of the above configuration:

EXAMPLE.ORG:	This is the Active Directory domain as configured in krb5.conf.
PATH TO KEYTAB:	Accessible path to the keytab on this server.

• After this configuration, Apache needs to be restarted for the changes to take effect.

Troubleshooting

gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).

• Wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user.
• To change file system permissions use $ chmod 400 filename

gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).

• Missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab.

Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

• The website is not in zone "Local Intranet“ in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos.

gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).

• Wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information.
• Problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again.