Apache and Kerberos SSO

I had some real problems with setting up SSO in my home lab. I spent the most part of a weekend screaming at my PC, wondering what the hell I was doing wrong. Turns out, setting up SSO with Apache is quite easy.

I'm going to write this from scratch, starting from a new VM install (using Ubuntu).

Few things to bear in mind:

  • My local domain name is ibex.com
  • The server name I'm setting up is called test2.ibex.com
  • My domain controller (hereafter called DC) is called bullfinch.ibex.com

On your DC, set a static IP for the server:

Create a static IP address for the server

On your DC, create a new DNS entry for the server. This must be an A record

Create a DNS entry for your server, with PRT and allow any authenticated user to update DNS records

When installing Ubuntu, it'll ask for a hostname. I've used test2.ibex.com. You may be able to use just test2, but I don't know if this works.

naming your server appropriately

Make sure your hosts file (/etc/hosts) is correct:

Make sure your hosts file is correct

First off, I'm going to join my server to the domain using this

Edit your /etc/krb5.conf to something like this

        default_realm = IBEX.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        forwardable = yes

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
    ftp = ftp
                plain = {
                        something = something-else
        fcc-mit-ticketflags = true

#        default_tkt_enctypes = rc4-hmac
# default_tgs_enctypes = rc4-hmac

        IBEX.COM = {
                kdc = bullfinch.ibex.com
                admin_server = bullfinch.ibex.com
    default_domain = ibex.com
        .ibex.com = IBEX.COM
        ibex.com = IBEX.COM
        test2.ibex.com = IBEX.COM
        krb4_convert = true
        krb4_get_tickets = false
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

pam = {
        debug = true
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false

Now, create a user on your DC. Remember to uncheck "user must change password at next logon":

Make sure your hosts file is correct

Create a new keytab on your DC:

ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass {YOUR_PASSWORD_HERE} -out c:\test2.keytab

Creating a keytab

Now edit the user, as after the keytab is made, the delegation tab on the user will show. Make sure "Trust this user for delegation to any service" is selected:

Allowing delgation

Transfer the keytab to your Linux box.

Install Apache and the auth module sudo apt-get install apache2 libapache2-mod-auth-kerb. Don't forget to allow override on the /var/www directory in your apache2 config.

Add this to your apache2 config/.htaccess:

AuthType Kerberos
AuthName "Kerberos Login"
KrbServiceName HTTP
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials Off
KrbVerifyKDC On
KrbAuthRealms IBEX.COM
# This is a BAD idea, it should be somewhere that it not accessible. But this'll do for testing purposes
Krb5KeyTab /var/www/test.keytab
require valid-user

Now visit your page to make sure it works – you’ll get a popup asking for a username and password. Type your info in and you should have access.

Now, to allow browsers to pass your details automatically. I’m doing this directly through IE at the moment, but you’d set a GPO for this.

Click internet options -> security -> local intranet -> custom level, go to the bottom and set "automatic log-on only in an Intranet zone"

Allow automatic login

Now click internet options -> security -> local intranet -> sites ->advanced and add your site to the list

Trust this site

Now if you open any browser, you’ll be able to login without a username and password.

If you then create a php file, put var_dump($_SERVER); and navigate to it, you should see your user under PHP_AUTH_USER


Handy commands

Delete SPN record - setspn -D HTTP/test2.ibex.com (SPN record) test2 (username)

Listing all SPN records (powershell script)

Found this from here

#Set Search
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]“”)
$search.filter = “(servicePrincipalName=*)”
$results = $search.Findall()

#list results
foreach($result in $results)
       $userEntry = $result.GetDirectoryEntry()
       Write-host "Object Name = " $userEntry.name -backgroundcolor "yellow" -foregroundcolor "black"
       Write-host "DN      =      "  $userEntry.distinguishedName
       Write-host "Object Cat. = "  $userEntry.objectCategory
       Write-host "servicePrincipalNames"
       foreach($SPN in $userEntry.servicePrincipalName)
           Write-host "SPN(" $i ")   =      " $SPN       $i+=1
       Write-host ""