Kerberos single sign-on with Active Directory
Kerberos authentication is a third party authentication mechanism supported by Midgard. It allows users to log in to Midgard using their LDAP or Active Directory accounts. In Kerberos authentication users may log in to Midgard in the normal way or using single sign-on method. Basic kerberos configuration on midgard serverInstall mod_auth_kerb. Configure /etc/krb5.conf
Test configuration
If you get ticket from the kerberos server, you should be fine to continue. Otherwise you might find the troubleshooting section, in the end of this document, useful. Creating keytab for single sign-onFirst you must create a user account on the kerberos domain controller server. The user account must not be disabled and the password must stay the same. Otherwise you might need to recreate the keytab. In this example the user account name is "apache_server" and has password "apache_password". Windows Server 2003:
Windows Server 2000 (not tested):
Install support tools to optain ktpass.exe. After creating the keytab you propably need to reset the password because of the new crypto type. You need to use the same password. apache.server.fqdn = the site url you are going to use. The url must be resolvable by the kerberos and midgard server to the midgard server ip-address. Place the keytab file on the midgard server and give apache user read rights to the file. Test the keytab:
If you get ticket from the kerberos server, you should be fine to continue. Otherwise you might find the troubleshooting section, in the end of this document, useful. Configuring midgard vhostBelow is a configuration for a kerberos SingleSignOn authentication which fallbacks to a kerberos password authentication.
Browser support for single sign-onFirefox: Go to about:config edit network.negotiate-auth.trusted-uris and add http(s)://(site) IE6: Add the site to trusted sites. Make sure that "Enable Integrated Windows Authentication" is on Troubleshooting and useful linksIn midgard server the site url must be /etc/hosts as a first entry for the ip in question:
The midgard server must be in same time with the kerberos server. You can use ntp or ntpdate for this. GSS failure "Key version number for principal in key table is incorrect"If you reset the password after creating the keytab you will need to create a new one, even if kinit does not complain the Kerberos server will refuse to serve authentication requests for the "old" keytab. Links: |
|