Midgard: Kerberos single sign

a1101 2012-05-17

展开全文

Kerberos single sign-on with Active Directory

GSS failure "Key version number for principal in key table is incorrect"

Kerberos authentication is a third party authentication mechanism supported by Midgard. It allows users to log in to Midgard using their LDAP or Active Directory accounts. In Kerberos authentication users may log in to Midgard in the normal way or using single sign-on method.

Basic kerberos configuration on midgard server

Install mod_auth_kerb.

Configure /etc/krb5.conf

[libdefaults]
    default_realm = KERBEROS.REALM

[domain_realm]
    apache.server.fqdn = KERBEROS.REALM

[realms]
    KERBEROS.REALM = {
        kdc = kdc.kerberos.realm
        }

Test configuration

$ kinit username
$ klist

If you get ticket from the kerberos server, you should be fine to continue. Otherwise you might find the troubleshooting section, in the end of this document, useful.

Creating keytab for single sign-on

First you must create a user account on the kerberos domain controller server. The user account must not be disabled and the password must stay the same. Otherwise you might need to recreate the keytab. In this example the user account name is "apache_server" and has password "apache_password".

Windows Server 2003:

C:\Program Files\Support Tools>ktpass -princ HTTP/apache.server.fqdn@KERBEROS.REALM -mapuser apache_server -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass apache_password -out name.keytab

Windows Server 2000 (not tested):

C:\Program Files\Support Tools>ktpass -princ HTTP/apache.server.fqdn@KERBEROS.REALM -mapuser dummyuser -crypto DES-CBC-MD5 -pass password -out name.keytab

Install support tools to optain ktpass.exe. After creating the keytab you propably need to reset the password because of the new crypto type. You need to use the same password.

apache.server.fqdn = the site url you are going to use. The url must be resolvable by the kerberos and midgard server to the midgard server ip-address.

Place the keytab file on the midgard server and give apache user read rights to the file.

Test the keytab:

$ kinit -k -t /etc/name.keytab HTTP/apache.server.fqdn
$ klist

If you get ticket from the kerberos server, you should be fine to continue. Otherwise you might find the troubleshooting section, in the end of this document, useful.

Configuring midgard vhost

Below is a configuration for a kerberos SingleSignOn authentication which fallbacks to a kerberos password authentication.

Servername apache.server.fqdn
MidgardAuthType trusted

<Location "/">
    AuthName "Kerberos Authentication"
    AuthType Kerberos
    KrbAuthRealms KERBEROS.REALM
    Krb5Keytab /etc/name.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    Order Allow,Deny
    # Allow cron scripts etc from local machine
    Allow from localhost
    Allow from apache.server.fqdn
    # Require kerberos for others
    Require valid-user
    Satisfy any
</Location>

Browser support for single sign-on

Firefox:

Go to about:config edit network.negotiate-auth.trusted-uris and add http(s)://(site)

IE6:

Add the site to trusted sites. Make sure that "Enable Integrated Windows Authentication" is on

Troubleshooting and useful links

In midgard server the site url must be /etc/hosts as a first entry for the ip in question:

172.0.0.1       locahost.localdomain localhost
'ip-address'    apache.server.fqdn apache

The midgard server must be in same time with the kerberos server. You can use ntp or ntpdate for this.

GSS failure "Key version number for principal in key table is incorrect"

If you reset the password after creating the keytab you will need to create a new one, even if kinit does not complain the Kerberos server will refuse to serve authentication requests for the "old" keytab.

Links: