HTTPS Kerberos authentication with Apache 2.4
So I wanted to put my shiny Kerberos server to some use on my network, and decided that I want some web services protected by Kerberos authentication. By doing so, I will automatically have access to those services on my local machine (because I get a Kerberos ticket upon local login, see my previous post). My web server will run Apache 2.4, and run on FreeBSD.
I start by installing Apache 2.4:
# portmaster www/apache24
The default settings works fine. I proceed with configuring Apache as usual, with SSL certificates and so on. We then proceed by building the Kerberos module for Apache.
# portmaster www/mod_auth_kerb2
I use the Kerberos-version from base. Choose appropriately.
Next, we need to generate a new keytab on the Kerberos server. The name must match the host the server is running on. Thus, if your webserver has the domain name web.example.com
, the Kerberos principal should be HTTP/web.example.com
. Move the principal file somewhere safe, I put mine in /usr/local/etc/apache24/extra/
.
Next, add the following directives to the <Location>
or <Directory>
you want to protect:
# Should have been added by default to the top of the file.
LoadModule auth_kerb_module libexec/apache24/mod_auth_kerb.so
...
<Location />
AuthType Kerberos
AuthName "Kerberos login for ZOZS.SE"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms ZOZS.SE
Krb5KeyTab /usr/local/etc/apache24/extra/my.keytab
require valid-user
</Location>
With the config above, I require Kerberos Authentication for everything, and I will only allow actual Kerberos tickets to be used. If you want basic authentication fallback (which will then grab username and password from the user, and then try to acquire a Kerberos ticket on their behalf), you can set KrbMethodK5Passwd On
.
Add Apache to your /etc/rc.conf
and start it with service start apache24
and you’re done!