Steps To Setup Kerberos On UBUNTU/RHEL(CentOS)

Steps To Setup Kerberos On UBUNTU/RHEL(CentOS)

    Step1: Install Kerberos Client Libraries On The Web Server

    For UBUNTU:
    • Use the following command on your terminal to install the Kerberos client libraries.
    • sudo apt-get install krb5-user

    For RHEL/CentOS:
    • Use the following command on your terminal to install the Kerberos client libraries.
    • yum install krb5-workstation krb5-libs krb5-auth-dialog

    Step2: Configure the Active Directory domain in the Kerberos Configuration file

    The following steps are used to configure the Active Directory Domains in the Kerberos configuration file:

    • Open and edit the /etc/krb5.conf file.
    • Add the following configuration snippet to the krb5.conf file.
    • EXAMPLE.ORG= { kdc = <AD DOMAIN CONTROLLER IP/DNS> :88 }

      NOTE: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address.Ensure EXAMPLE.ORG should be in upper case.


      - Replace the EXAMPLE.ORG with the Active Directory domain name.

      - And ensure that the port 88 on the AD Domain Controller is accessible from this server.

    • Save the file.

    Step3: Install the auth_kerb module for Apache

    For UBUNTU:
    • Use the following command to install auth_kerb module for Apache.
    • sudo apt-get install libapache2-mod-auth-kerb
    • Once the auth_kerb module is installed, it needs to be enabled through the following command.
    • a2enmod auth_kerb
    • After enabling, Restart Apache to take effect.

    For RHEL/CentOS:
    • Use the following command to install auth_kerb module for Apache.
    • yum install mod_auth_kerb
    • Restart Apache to take effect.

    Step 4: Create Keytab file on the AD Domain Controller

    • On the AD Domain Controller, execute the following command to create the Keytab file.
    • ktpass -princ HTTP/<Server Host Name>@EXAMPLE.ORG -pass PASSWORD.
      -mapuser svc@EXAMPLE.ORG -Ptype KRB5_NT_PRINCIPAL -out "\spn.keytab".

      NOTE: Ensure EXAMPLE.ORG should be in uppercase.


      The following are the components of the command.

      Server Host Name: It is the host name of the site hosted on the Server.
      Server Host Name: It is the host name of the site hosted on the Server.
      EXAMPLE.ORG: It is the Active Directory Domain Name.
      svc@EXAMPLE.ORG: It is a service account in Active Directory.
      PASSWORD: It is the password of the service account used above.
      Path: Path to a local location which will store the keytab file.

NOTE: The above command creates a keytab file. It needs to be placed on the server. The user running Apache should have full access to this file.The user should have permission to the keytab file.

  • The Service Account has a few prerequisites:
    1. The account password should have a password set to Not Expired.
    2. The account should be trusted for delegation.

Step 5: Configure Kerberos SSO for the site directory

  • The following steps are used to configure Kerberos SSO for the site directory:

    • For UBUNTU:

        -Edit the /etc/apache2/sites-enabled/000-default.conf file.


      For RHEL/CentOS:

        -Edit the auth_kerb.conf configuration file in the /etc/httpd/conf.d/ folder.


  • Add the following section in the directory of the site.

    • For UBUNTU:
        <Directory "/placeholder">
        AuthType Kerberos
        KrbAuthRealms EXAMPLE.ORG
        KrbServiceName HTTP
        Krb5Keytab KrbMethodNegotiate on
        KrbMethodK5Passwd on
        require valid-user
        </Directory>

      For RHEL/CentOS:
        LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
        <Directory "/placeholder">
        AuthType Kerberos
        KrbAuthRealms EXAMPLE.ORG
        KrbServiceName HTTP
        Krb5Keytab KrbMethodNegotiate on
        KrbMethodK5Passwd on
        require valid-user
        </Directory>

    NOTE: Ensure EXAMPLE.ORG should be in upper case.


    The following are the components of the above configuration:

      EXAMPLE.ORG: This is the Active Directory domain as configured in krb5.conf.
      PATH TO KEYTAB: Accessible path to the keytab on this server.
  • After this configuration, Apache needs to be restarted for the changes to take effect.


Troubleshooting

These are the most common error messages:

    gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).
  • wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user.
  • To change file system permissions use $ chmod 400 filename

  • gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).
  • missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab.

  • Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
    gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
  • the website is not in zone „Local Intranet“ in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos.

  • gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).
  • wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information.
  • OR problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again.