Apache Single Sign On in Windows

In this post I am going to explain a rather unusual setup which we have implemented for a customer lately: Apache Single Sign On using Active Directory Server. This is not so unusual. The exceptional requirement is Apache running on a Windows Server not on a Linux Server.

For Apache on Windows there is no precompiled Kerberos module available. So we compiled it. Read on to find out how we configured the whole setup.

Please leave a comment on this page and tell us what you think. If we can be of any help let us know!

The Environment
  • Windows Server, Active Directory Server (ADS)
    in this document I will refer to this server as ADS.your.domain@your.domain
  • Windows Server, Apache 2.2
    in this document I will refer to this server as APACHE.your.domain@your.domain
  • Windows Client, e.g Windows 7

When I write your.domain, then replace it with the domain name your ADS is configured for.
When I write YOUR.DOMAIN, replace it with your domain name all in caps.

Create technical Users in ADS
  • User „apachekerb“ is used by Apache when authenticating users against ADS using the Kerberos protocol.
  • User „apacheldap“ is used by Apache for LDAP queries.

When creating these users in ADS make sure „User must change password at next logon“ is unchecked and „Password never expires“ is checked.
Pick a password for both users. In this example I use „zx890as$%^“ for both.

Create Group in ADS

Create ADS group „ApacheSSOAccess“. Add users which may access the Web Server.

Create test Users in ADS

To test the configuration I create two user accounts. One that will be granted access and one that will be denied access:

  • „ssotestgranted@your.domain“ in group „ApacheSSOAccess“
  • „ssotestdenied@your.domain“ not in the group

 

Create a Kerberos token

Apache needs an access code for accessing the ADS. Execute the following command on the ADS host in a cmd shell. Please be sure to replace APACHE.your.domain@your.domain with the name of the server Apache is installed on!

ktpass -princ HTTP/APACHE.your.domain@your.domain
       -mapuser apachekerb -crypto rc4-hmac-nt
       -ptype KRB5_NT_PRINCIPAL -pass zx890as$%^
       -out c:\apache.keytab

Later I will copy c:\apache.keytab to the Apache Server.

1. Install apache 2.2

Get Apache 2.2 installer from here.
Note you must use Apache 2.2 from the specified source as our mod_auth_kerb
is specifically built for this version. Download it here.

2. Install MIT Kerberos for Windows 4.0.1

Get the MIT Kerberos installer from here.

Choose installation type „Typical“.
Install location is C:\Program Files (x86)\MIT\Kerberos

3. Configure MIT Kerberos

Add to empty file C:\ProgramData\MIT\Kerberos5\krb.ini

[libdefaults]
                debug=true
                default_realm = YOUR.DOMAIN
                dns_lookup_kdc = false
                krb4_config = /etc/krb.conf
                krb4_realms = /etc/krb.realms
                kdc_timesync = 1
                ccache_type = 4
                forwardable = true
                proxiable = true

[realms]
                YOUR.DOMAIN = {
                        kdc = ADS.your.domain
                        admin_server = ADS.your.domain
                        default_domain = your.domain
                }

[domain_realm]
                .your.domain = YOUR.DOMAIN

[login]
                krb4_convert = true
                krb4_get_tickets = false
4. Copy apache.keytab into Apache2.2 conf directory

Now I copy the „apache.keytab“ file from the ADS to the Apache Server. The file needs to end up in „APACHE_HOME\conf\apache.keytab“.

5. Create authsso\index.php in document root

This folder is used to test SSO and authorization.

File: <APACHE DOCUMENT ROOT>\authsso\index.php
Content:

        <html>
         <head>
          <meta http-equiv="Pragma" content="no-cache" />
         </head>
         <body>
          <h1>Authenticated!</h1>
          REMOTE_USER: <?php echo $_SERVER["REMOTE_USER"]; ?></br>
          PHP_AUTH_USER: <?php echo $_SERVER["PHP_AUTH_USER"]; ?></br>
         </body>
        </html>
6. Copy Module mod_auth_kerb.so into Apache modules directory

From: C:\Users\Public\Downloads\mod_auth_kerb.so
To: \modules\mod_auth_kerb.so

Source: Schäuffelhut Berger GmbH

7. Update Apache Config

File: \conf\httpd.conf

Enable modules needed for authorization and authentication:

       LoadModule auth_kerb_module modules/mod_auth_kerb.so
       LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
       LoadModule authz_default_module modules/mod_authz_default.so

Append at the end of httpd.conf:

       # http://shib.ametsoc.org/manual/mod/mod_ldap.html
       # cache ldap results for 60 seconds
       LDAPCacheTTL   60
       LDAPOpCacheTTL 60

        <Location /authsso>
           AuthType KerberosV5
           AuthName "Kerberos Login"
           KrbAuthRealm your.domain
           KrbServiceName HTTP/APACHE.your.domain@your.domain

           # on windows Krb5Keytab only works for absolute paths!
           Krb5Keytab "<APACHE INSTALL DIR>\conf\apache.keytab"

           KrbMethodK5Passwd on
           KrbMethodNegotiate on

           AuthzLDAPAuthoritative on

           # find LDAP user by Kerberos userPrincipalName.
           AuthLDAPURL "ldap://ADS.your.domain/DC=your,DC=domain?userPrincipalName"

           # use Common Name as displayed in ADS
           AuthLDAPBindDN "cn=apacheldap,DC=your,DC=domain"
           AuthLDAPBindPassword "zx890as$%^"

           # use Common Name as displayed in ADS
           # no quotes around GROUP!
           Require ldap-group CN=ApacheSSOAccess,DC=your,DC=domain

           Satisfy All
        </Location>
8. Users that may access /authsso must be set up like ssotestgranted@your.domain

Account name must match „User Principal Name“ for LDAP lookup to succeed.
Account must be member of ldap-group ApacheSSOAccess

Conclusion

Getting this setup to work was a challenge but it was an interesting experience. I hope this blog post will help you. Please leave a comment if you have any suggestions or questions.