Setup Kerberos On UBUNTU/RHEL/CentOS
Overview
Set up Kerberos on Ubuntu / RHEL by installing libraries, configuring domains, creating keytab files, and troubleshooting common errors.
Setup Kerberos On UBUNTU/Debian:
Step 1: Create Keytab file on the AD Domain Controller:
- On the AD Domain Controller open the command prompt in the administrator mode and execute the following command to create the Keytab file.
- The following are the components of the command.
- Open Active Directory Users and Computers and from the top menu select View >> Advanced features.
- Open the service account and go to the attribute editor tab, browse to the servicePrincipalName to verify the SPN entry.
- Navigate to the Delegation tab.
- Select Trust this user for delegation to any service (Kerberos only).
- Click Apply.
- Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.
- Provide permission to kerberos keytab file:
ktpass -princ HTTP/<Server Host Name>@EXAMPLE.COM -mapuser <username@EXAMPLE.COM>
-pass password -ptype KRB5_NT_PRINCIPAL -out <PATH>\spn.keytab
Note: Ensure EXAMPLE.COM should be in uppercase. If the user with SPN is already exist, use that user insted creating a new one. The Kerberos principle is case-sensitive. Please check for differences in upper/lower-case writing before running the keytab command.
| Server Host Name: | It is the host name of the site hosted on the Server. |
| EXAMPLE.COM: | It is the Active Directory Domain Name. |
| Username: | It is a service account in Active Directory. |
| Password: | It is the password of the service account used above. |
| Path: | Path to a local location which will store the keytab file. (C:\Temp\spn.keytab) |
Note: The above command creates a keytab file. It needs to be placed on the client server where your WordPress site is hosted. The user running Apache should have full access to this file. The user should have permission to the keytab file.
chmod 644 etc/apache2/spn.keytab
Step 2: Install kerberos client libraries on the web server:
- Use the following command on your terminal to install the Kerberos client libraries.
sudo apt-get install krb5-user
Step 3: Install modules for Apache:
- There are two apache modules, but only one of them is needed to be installed:
1. mod_auth_kerb module for apache.
2. mod-auth-gssapi module for apache. - Use the following command to install the auth_kerb module for Apache on debian-based systems:
- Once the auth_kerb module is installed, it needs to be enabled through the following command.
- After enabling, Restart Apache to take effect.
- Use the following command to install the libapache2-mod-auth-gssapi module for Apache on debian-based systems:
Note: In the most recent releases of Ubuntu/Debian, the mod_auth_kerb has been deprecated and replaced with the mod_auth_gssapi.
1. Install the mod_auth_kerb module for apache:
sudo apt-get install libapache2-mod-auth-kerb
a2enmod auth_kerb
2. Install the mod-auth-gssapi module for apache:
sudo apt-get -y install libapache2-mod-auth-gssapi
Step 4: Configure the Active Directory domain in the Kerberos Configuration file:
- Open and edit the krb5.conf file.
The path to the krb5.conf file for linux is C:/etc/krb5.conf and for other UNIX-based system is c:/etc/krb5/krb5.conf - Add the following configuration snippet to the krb5.conf file under the mentioned section:
- Save the file.
[libdefaults]
default_realm = EXAMPLE.COM
# ...
# ...
[realms]
EXAMPLE.COM = {
kdc = <DNS entries pointing to your primary domain controller>: Port
admin_server = <DNS entries pointing to your primary domain controller>: Port
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Note: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address. Ensure EXAMPLE.COM should be in upper case.
Replace the EXAMPLE.COM with the Active Directory domain name and ensure that the port 88 on the AD Domain Controller is accessible from this server.
Step 5: Configure Kerberos SSO for the site directory:
- Edit the imposed virtual host configuration file which is stored under /etc/apache2/sites-enabled directory or the default virtual host file named 000-default.conf
- 1. Add the following section in the directory of the site for mod_auth_kerb.
- 2. Add the following section in the directory of the site for mod_auth_gssapi.
- After this configuration, Apache needs to be restarted for the changes to take effect.
Note: Add the following section in the directory according to the apache module used. Eg: "mod_auth_kerb" or "mod_auth_gssapi".
<Directory "/placeholder">
AuthType Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/<Server Host Name>
Krb5Keytab <PATH TO KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
</Directory>
<IfModule !mod_auth_gssapi.c>
LoadModule auth_gssapi_module /usr/lib64/httpd/modules/mod_auth_gssapi.so
</IfModule>
<Directory "/placeholder">
AuthType GSSAPI
AuthName "Kerberos auth"
GssapiAllowedMech krb5
GssapiBasicAuth On
GssapiCredStore keytab:<PATH TO KEYTAB>
GssapiLocalName On
BrowserMatch Windows gssapi-no-negotiate
Require valid-user
</Directory>
Note: Ensure EXAMPLE.COM should be in upper case.
The following are the components of the above configuration:
| EXAMPLE.COM: | This is the Active Directory domain as configured in krb5.conf. |
| PATH TO KEYTAB: | Accessible path to the keytab on this server. (etc/spn.keytab) |
Setup Kerberos On RHEL/CentOS:
Step 1: Create Keytab file on the AD Domain Controller:
- On the AD Domain Controller open the command prompt in administrator mode and execute the following command to create the Keytab file.
- The following are the components of the command.
- Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.
- Provide permission to kerberos keytab file:
ktpass -princ HTTP/<Server Host Name>@EXAMPLE.COM -mapuser <username@EXAMPLE.COM>
-pass password -ptype KRB5_NT_PRINCIPAL -out <PATH>\spn.keytab
Note: Ensure EXAMPLE.COM should be in uppercase. The Kerberos principle is case-sensitive. Please check for differences in upper/lower-case writing before running the keytab command.
| Server Host Name: | It is the host name of the site hosted on the Server. |
| EXAMPLE.COM: | It is the Active Directory Domain Name. |
| Username: | It is a service account in Active Directory. |
| Password: | It is the password of the service account used above. |
| Path: | Path to a local location which will store the keytab file. (C:\Temp\spn.keytab) |
Note: The above command creates a keytab file. It needs to be placed on the client server where your WordPress site is hosted. The user running Apache should have full access to this file.The user should have permission to the keytab file.
chmod 644 etc/httpd/spn.keytab
Step 2: Install kerberos client libraries on the web server:
- Use the following command on your terminal to install the Kerberos client libraries.
yum install -y krb5-workstation krb5-devel krb5-libs mod_auth_gssapi mod_session
Note: In the most recent releases of CentOS, the mod_auth_kerb has been deprecated and replaced with the mod_auth_gssapi.
Step 3: Install modules for Apache:
- There are two apache modules, but only one of them is needed to be installed:
1. mod_auth_kerb module for apache.
2. mod-auth-gssapi module for apache. - Use the following command to install the auth_kerb module for Apache on Red Hat-based systems. (For latest releases of RHEL use mod-auth-gssapi module)
- Use the following command to install the libapache2-mod-auth-gssapi module for Apache on debian-based systems:
Note: In the most recent releases of Ubuntu/Debian, the mod_auth_kerb has been deprecated and replaced with the mod_auth_gssapi.
1. Install the mod_auth_kerb module for apache:
yum install mod_auth_kerb
2. Install the mod-auth-gssapi module for apache:
sudo apt-get -y install libapache2-mod-auth-gssapi
Step 4: Configure the Active Directory domain in the Kerberos Configuration file:
- Open and edit the krb5.conf file.
The path to the krb5.conf file for RHEL is C:/etc/krb5.conf - Add the following configuration snippet to the krb5.conf file under the mentioned section:
- Navigate to the [libdefaults] section and add the following :
- Navigate to the [realms] section and add the following:
- Navigate to the [domain_realm] section and add the following:
- Save the file.
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
EXAMPLE.COM = {
kdc = <DNS entries pointing to your primary domain controller>: Port
admin_server = <DNS entries pointing to your primary domain controller>: Port
}
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Note: Replace the AD DOMAIN CONTROLLER IP/DNS with your IP/DNS address. Ensure EXAMPLE.COM should be in upper case.
Replace the EXAMPLE.COM with the Active Directory domain name and ensure that the port 88 on the AD Domain Controller is accessible from this server.
Step 5: Configure the Active Directory domain in the Kerberos Configuration file:
- Edit the imposed host configuration file /etc/httpd/conf/httpd.conf
- Add the following section in the directory of the site for mod_auth_kerb.
<Directory "/placeholder">
AuthType Kerberos
KrbAuthRealms EXAMPLE.COM
KrbServiceName HTTP/<Server Host Name>
Krb5Keytab <PATH TO KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
</Directory>
- Add the following section in the directory of the site for mod_auth_gssapi
- The following are the components of the above configuration:
- After this configuration, Apache needs to be restarted for the changes to take effect.
LoadModule auth_gssapi_module modules/mod_auth_gssapi.so
<Directory "/placeholder">
AuthType GSSAPI
AuthName "Kerberos auth"
GssapiBasicAuth On
GssapiCredStore keytab:<PATH TO KEYTAB>
GssapiLocalName On
Require valid-user
</Directory>
| PATH TO KEYTAB | Accessible path to the keytab on this server. (etc/apache2/spn.keytab) |
| "/placeholder" | Path to the document root |
Troubleshooting:
These are the most common error messages:
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied).
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found).
Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ).
FAQs
More FAQs ➔Can I use an existing LDAP user as a Kerberos Service principal? 
Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.
What is a "Kerberos client", "Kerberos server", and "application server"?
All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.
Why am I getting a prompt to enter my credentials?
This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:
- Check if you are using a domain joined machine to access the website.
- Make sure the time is synchronized between the LDAP server and webserver.
- Confirm if your browser settings and Internet options are configured for Kerberos SSO.
- If you are still facing this issue, feel free to contact us.
