Setup Kerberos/NTLM SSO with Apache on Windows
Overview
step-by-step guidelines for setting up Kerberos Authentication on windows with apache. Learn how to configure Kerberos for secure and seamless user authentication, including initial setup, settings, browser configurations.
Effortless LDAP/Active Directory Integration for WordPress Video.
SSO with Apache on Windows Xampp Server:
- Open Command prompt in Administrator mode.
- Execute the following command to add Service Principal Name (SPN) for the service account.
- Verify whether this has been properly set by running the following command:
- The result should list http/machinename.domain.com
- Open Active Directory Users and Computers and from the top menu select View >> Advanced features.
- Open the service account and go to the attribute editor tab, browse to the servicePrincipalName to verify the SPN entry.
- Navigate to the Delegation tab.
- Select Trust this user for delegation to any service (Kerberos only).
- Click Apply.
- Click Here to download the apache module.
- Copy the mod_authnz_sspi.so from Apache24 > modules folder and place it in the modules (C:\xampp\apache\modules) directory.
- Copy the sspipkgs.exe file from Apache24 -> bin folder and place it in the bin folder of your Xampp apache folder (.....\xampp\apache\bin) on your webserver.
- Open httpd.conf (.....\xampp\apache\conf) and place the below line of code in the LoadModule section.
- Make sure that the following modules are uncommented:
- Also, make sure to enable ldap extension.
- Open the httpd.conf file from (.....\xampp\apache\conf\httpd.conf).
Go to and paste the below lines after #Require all grants. - Restart your Apache Server.
Setspn -s http/<computer-name>.<domain-name> <domain-user-account>
Example: C:\Users\Administrator> setspn -S HTTP/machinename.domain.com service_account
Note:"machinename.domain.com" here is computer-name. Make sure it's resolvable on the Windows server running AD service.
setspn -l domain\service_account
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
<Directory "...../xampp/htdocs">
......
......
#Require all granted
AllowOverride None Options None
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
Require valid-user
</Directory>
Configure browsers for Kerberos SSO:
Note: The client-side configuration enables the respective browser to use SPNEGO to negotiate Kerberos authentication for the browser. You must make sure that the browser on an end user's system is configured to support Kerberos authentication.
General Kerberos SSO Configuration for all Browsers:
- Go to Control Panel and click on Network and Internet >> Internet Options.
- This will open a Internet Properties window. Click on Security >> Local Intranet >> Sites.
- After that, click on the Advanced button.
- In the Add this website to the zone section add the website URL that you wish to login with SSO.
- Click Tools > Internet Options > Security > Local intranet > Custom Level.
- Scroll down to the User Authentication options and select Automatic logon only in the Intranet zone.
- Click on Ok button and then restart your browser.
Once done with the above settings, you need not to configure the browser settings for internet explorer, Google Chrome and Apple Safari.
- Internet Explorer
- Google Chrome
- Mozilla Firefox
- Apple Safari
FAQs
More FAQs ➔Can I use an existing LDAP user as a Kerberos Service principal? 
Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.
What is a "Kerberos client", "Kerberos server", and "application server"?
All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.
Why am I getting a prompt to enter my credentials?
This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:
- Check if you are using a domain joined machine to access the website.
- Make sure the time is synchronized between the LDAP server and webserver.
- Confirm if your browser settings and Internet options are configured for Kerberos SSO.
- If you are still facing this issue, feel free to contact us.
