HTTPS Kerberos authentication with Apache 2.4
So I wanted to put my shiny Kerberos server to some use on my network, and decided that I want some web services protected by Kerberos authentication. By doing so, I will automatically have access to those services on my local machine (because I get a Kerberos ticket upon local login, see my previous post). My web server will run Apache 2.4, and run on FreeBSD.
I start by installing Apache 2.4:
# portmaster www/apache24
The default settings works fine. I proceed with configuring Apache as usual, with SSL certificates and so on. We then proceed by building the Kerberos module for Apache.
# portmaster www/mod_auth_kerb2
I use the Kerberos-version from base. Choose appropriately.
Next, we need to generate a new keytab on the Kerberos server. The name must match the host the server is running on. Thus, if your webserver has the domain name
web.example.com, the Kerberos principal should be
HTTP/web.example.com. Move the principal file somewhere safe, I put mine in
Next, add the following directives to the
<Directory> you want to protect:
# Should have been added by default to the top of the file. LoadModule auth_kerb_module libexec/apache24/mod_auth_kerb.so ... <Location /> AuthType Kerberos AuthName "Kerberos login for ZOZS.SE" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms ZOZS.SE Krb5KeyTab /usr/local/etc/apache24/extra/my.keytab require valid-user </Location>
With the config above, I require Kerberos Authentication for everything, and I will only allow actual Kerberos tickets to be used. If you want basic authentication fallback (which will then grab username and password from the user, and then try to acquire a Kerberos ticket on their behalf), you can set
Add Apache to your
/etc/rc.conf and start it with
service start apache24 and you’re done!