Steps To Setup Kerberos On UBUNTU/RHEL (CentOS)
NOTE: The above command creates a keytab file. It needs to be placed on the server. The user running Apache should have full access to this file.The user should have permission to the keytab file.
- The Service Account has a few prerequisites:
- The account password should have a password set to Not Expired.
- The account should be trusted for delegation.
- Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.
Step 5: Configure Kerberos SSO for the site directory
- Add the following section in the directory of the site.
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
Krb5Keytab <PATH TO KEYTAB>
NOTE: Ensure EXAMPLE.ORG should be in upper case.
The following are the components of the above configuration:
||This is the Active Directory domain as configured in krb5.conf.
|PATH TO KEYTAB:
||Accessible path to the keytab on this server.
- After this configuration, Apache needs to be restarted for the changes to take effect.
These are the most common error messages:
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).
Wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user.
To change file system permissions use $ chmod 400 filename
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).
Missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab.
Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
The website is not in zone "Local Intranet“ in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos.
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).
Wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information.
Problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again.