So I wanted to put my shiny Kerberos server to some use on my network, and decided that I want some web services protected by Kerberos authentication. By doing so, I will automatically have access to those services on my local machine (because I get a Kerberos ticket upon local login, see my previous post). My web server will run Apache 2.4, and run on FreeBSD.

I start by installing Apache 2.4:

# portmaster www/apache24

The default settings works fine. I proceed with configuring Apache as usual, with SSL certificates and so on. We then proceed by building the Kerberos module for Apache.

# portmaster www/mod_auth_kerb2

I use the Kerberos-version from base. Choose appropriately.

Next, we need to generate a new keytab on the Kerberos server. The name must match the host the server is running on. Thus, if your webserver has the domain name web.example.com, the Kerberos principal should be HTTP/web.example.com. Move the principal file somewhere safe, I put mine in /usr/local/etc/apache24/extra/.

Next, add the following directives to the <Location> or <Directory> you want to protect:

# Should have been added by default to the top of the file.
LoadModule auth_kerb_module   libexec/apache24/mod_auth_kerb.so

...

<Location />
    AuthType            Kerberos
    AuthName            "Kerberos login for ZOZS.SE"
    KrbMethodNegotiate  On
    KrbMethodK5Passwd   Off
    KrbAuthRealms       ZOZS.SE
    Krb5KeyTab          /usr/local/etc/apache24/extra/my.keytab
    require valid-user
</Location>

With the config above, I require Kerberos Authentication for everything, and I will only allow actual Kerberos tickets to be used. If you want basic authentication fallback (which will then grab username and password from the user, and then try to acquire a Kerberos ticket on their behalf), you can set KrbMethodK5Passwd On.

Add Apache to your /etc/rc.conf and start it with service start apache24 and you’re done!