Search Results :

×

Setup Kerberos/NTLM SSO with Apache on Windows

step-by-step guidelines for setting up Kerberos Authentication on windows with apache. Learn how to configure Kerberos for secure and seamless user authentication, including initial setup, settings, browser configurations.

Effortless LDAP/Active Directory Integration for WordPress Video.

  • Open Command prompt in Administrator mode.
  • Execute the following command to add Service Principal Name (SPN) for the service account.
  • Setspn -s http/<computer-name>.<domain-name> <domain-user-account>

    Example: C:\Users\Administrator> setspn -S HTTP/machinename.domain.com service_account


    LDAP login for- intranet sites - kerberos SSO single sign on

    Note:"machinename.domain.com" here is computer-name. Make sure it's resolvable on the Windows server running AD service.


  • Verify whether this has been properly set by running the following command:
  • setspn -l domain\service_account
  • The result should list http/machinename.domain.com
  • Open Active Directory Users and Computers and from the top menu select View >> Advanced features.
  • Open the service account and go to the attribute editor tab, browse to the servicePrincipalName to verify the SPN entry.
  • Navigate to the Delegation tab.
  • Select Trust this user for delegation to any service (Kerberos only).
  • Kerberos for windows authentication on IIS server

  • Click Apply.
  • Click Here to download the apache module.
  • Copy the mod_authnz_sspi.so from Apache24 > modules folder and place it in the modules (C:\xampp\apache\modules) directory.
  • Copy the sspipkgs.exe file from Apache24 -> bin folder and place it in the bin folder of your Xampp apache folder (.....\xampp\apache\bin) on your webserver.
  • Open httpd.conf (.....\xampp\apache\conf) and place the below line of code in the LoadModule section.
  • LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
  • Make sure that the following modules are uncommented:
  • LoadModule authn_core_module modules/mod_authn_core.so
    LoadModule authz_core_module modules/mod_authz_core.so

  • Also, make sure to enable ldap extension.
  • Open the httpd.conf file from (.....\xampp\apache\conf\httpd.conf).
    Go to and paste the below lines after #Require all grants.
  • <Directory "...../xampp/htdocs">
    ......
    ......
    #Require all granted
    AllowOverride None Options None
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On
    Require valid-user
    </Directory>

  • Restart your Apache Server.

LDAP login for- intranet sites - kerberos SSO single sign on

Note: The client-side configuration enables the respective browser to use SPNEGO to negotiate Kerberos authentication for the browser. You must make sure that the browser on an end user's system is configured to support Kerberos authentication.

General Kerberos SSO Configuration for all Browsers:

  • Go to Control Panel and click on Network and Internet >> Internet Options.
  • This will open a Internet Properties window. Click on Security >> Local Intranet >> Sites.
  • Configure browsers for Kerberos Authentication with internet options settings

  • After that, click on the Advanced button.
  • Configure advance settings from internet options for Kerberos SSO on chrome and internet explorer

  • In the Add this website to the zone section add the website URL that you wish to login with SSO.
  • Configure website in Intranet Zone from internet options for Kerberos SSO

  • Click Tools > Internet Options > Security > Local intranet > Custom Level.
  • Scroll down to the User Authentication options and select Automatic logon only in the Intranet zone.
  • Automatic logon to the intranet zone using Kerberos authentication protocol

  • Click on Ok button and then restart your browser.

Once done with the above settings, you need not to configure the browser settings for internet explorer, Google Chrome and Apple Safari.

Internet Explorer:

By default the general browser configuration settings will be applicable, no more additional settings are required for Internet Explorer.

Google Chrome:

By default the general browser configuration settings will be applicable, no more additional settings are required for Google Chrome.

Mozilla Firefox:

  • Open Mozilla Firefox browser and enter about:config in the address bar.
  • Search for network.negotiate-auth.trusted-uris Preference Name, and click on Edit. enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Specify multiple domains and hostnames separated with a comma.
  • Configure mozilla Firefox for kerberos SSO (single sign-on)

  • Search for network.automatic-ntlm-auth.trusted-uris Preference Name, and click on Edit. enter the hostname or the domain of the web server that is protected by Kerberos HTTP SPNEGO. Specify multiple domains and hostnames separated with a comma.
  • configure mozilla Firefox settings for kerberos authentication

  • Click OK and then restart your browser.

Apple Safari:

Safari on windows supports SPNEGO with no furthere configuration. It supports both kerberos and NTLM as sub mechanism of SPENGO.


Yes, you can use an existing LDAP user as a Kerberos service principal. However, this user must have a password set to never expire. Kindly make sure this account is not used by any user as the application uses this account as the Kerberos service principal and the corresponding keytab to obtain a kerberos ticket.

All authentication in Kerberos occurs between clients and servers. Therefore, any entity that receives a service ticket for a Kerberos service is referred to as a "Kerberos client" in Kerberos terminology. Users are often considered clients, but any principal might be one.
The Key Distribution Center, or KDC for short, is typically referred to as a "Kerberos server". Both the Authentication Service (AS) and the Ticket Granting Service (TGS) are implemented by the KDC. Every password connected to every principal is stored in the KDC. Because of this, it is essential that the KDC be as safe as feasible.
The phrase "application server" often refers to Kerberized software that clients use to interact while authenticating using Kerberos tickets. An example of an application server is the Kerberos telnet daemon.

This happens when the NTLM protocol is used for Authentication instead of Kerberos.
This may occur due to multiple reasons:

  • Check if you are using a domain joined machine to access the website.
  • Make sure the time is synchronized between the LDAP server and webserver.
  • Confirm if your browser settings and Internet options are configured for Kerberos SSO.
  • If you are still facing this issue, feel free to contact us.



ADFS_sso ×
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com