Ubuntu 22.04
Sponsored Link

Apache2 : Kerberos Authentication2022/05/10

 
Limit accesses on specific web pages and use Windows Active Directory users for authentication with SSL connection.
Windows Active Directory is required in your local network, refer to here.
This example is based on the environment like follows.
Domain Server : Windows Server 2022
Domain Name : srv.world
Hostname : fd3s.srv.world
NetBIOS Name : FD3S01
Realm : SRV.WORLD
[1]
[2] For example, set Kerberos Authentication under the [/var/www/html/auth-kerberos] directory.
root@www:~#
apt -y install libapache2-mod-auth-kerb
# specify Realm

 +------------------+ Configuring Kerberos Authentication +------------------+
 | When users attempt to use Kerberos and specify a principal or user name   |
 | without specifying what administrative Kerberos realm that principal      |
 | belongs to, the system appends the default realm.  The default realm may  |
 | also be used as the realm of a Kerberos service running on the local      |
 | machine.  Often, the default realm is the uppercase version of the local  |
 | DNS domain.                                                               |
 |                                                                           |
 | Default Kerberos version 5 realm:                                         |
 |                                                                           |
 | SRV.WORLD________________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
# specify Active Directory's hostname

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostnames of Kerberos servers in the FD3S.SRV.WORLD Kerberos    |
 | realm separated by spaces.                                                |
 |                                                                           |
 | Kerberos servers for your realm:                                          |
 |                                                                           |
 | fd3s.srv.world___________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+
 
# specify Active Directory's hostname

 +------------------+ Configuring Kerberos Authentication +------------------+
 | Enter the hostname of the administrative (password changing) server for   |
 | the FD3S.SRV.WORLD Kerberos realm.                                        |
 |                                                                           |
 | Administrative server for your Kerberos realm:                            |
 |                                                                           |
 | fd3s.srv.world___________________________________________________________ |
 |                                                                           |
 |                                  <Ok>                                     |
 |                                                                           |
 +---------------------------------------------------------------------------+

root@www:~#
vi /etc/apache2/sites-available/auth-kerberos.conf
# create new

<Directory /var/www/html/auth-kerberos>
    SSLRequireSSL
    AuthType Kerberos
    AuthName "Kerberos Authntication"
    KrbAuthRealms SRV.WORLD
    KrbMethodNegotiate Off
    KrbSaveCredentials Off
    KrbVerifyKDC Off
    Require valid-user
</Directory>

root@www:~#
a2ensite auth-kerberos

Enabling site auth-kerberos.
To activate the new configuration, you need to run:
  service apache2 reload

root@www:~#
systemctl reload apache2
# create a test page

root@www:~#
mkdir /var/www/html/auth-kerberos

root@www:~#
vi /var/www/html/auth-kerberos/index.html
<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Test Page for Kerberos Auth
</div>
</body>
</html>
[3] Access to the test page with Web browser on any Client Computer, then authentication is required for settings. Authenticate with an existing Active Directory user.
[4] That's OK if authentication passed and test page is shown normally.
Matched Content