I have recently started to experiment with getting a linux webserver to allow for Active Directory users to connect with their own username passed to the web server.
This is proving to be very difficult. It shouldn’t be that hard to get the username in the linux server for the windows intranet user that is connecting.
One of the challenges is that there are so many variables to consider. Version of OS, Version of apache.
What is my linux version?
I’m currently using Centos 8.1. I was able to determine this because I did the install, but if you did it a while ago, or did several other servers since then and you are not sure what version you are on, then use this command.
CentOS Linux release 8.1.1911 (Core)
What is my Apache version?
Server version: Apache/2.4.37 (centos)
Server built: Sep 15 2020 15:41:16
What Apache modules are needed for HTTP Authentication?
This might not be correct, but all indicators seem to point to this.
I have gone down a lot of rabbit holes. I don’t know whether every avenue that I explored is necessary or not.
mod_auth_kerb module has been replaced by the
Apache2-mod_auth_kerb Is Dead, Use Mod_auth_gssapi
Where can I find documentation for mod_auth_gssapi?
What is the difference between HTTP Auth and Web Application Login?
I do not want Web Application logon, I want HTTP Auth to populate the user variable so that the user does not need to enter their username as long as they are logged into their windows machine.
What does the Apache Documenation say about Authentication and Authorization?
Do I really need SSL in order to get the AD username on the web server?
I sure hope not! Still looking into this.
A very dark place…
I probably should read this page, but I’m not ready to understand that yet…
What is the difference between HOST and HTTP Service Principals?
This is still a big mystery to me… I believe that HTTP is for the web server authentication and HOST is for users on the machine. I’m concerned with HTTP authentication.
What is SetSpn for Windows Active Directory?
What is a Active Directory SPN?
A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.
How can I use VBScript to list all my SPNs?
Yes. This script works.
How to Display the Keylist (Principals) in a Keytab File
This may be a bit early, but I’ll move it later. The keytab file can be viewed on Linux using ktutil.
The command to start ktutil to get to the ktutil prompt.
denver # /usr/bin/ktutil
ktutil: read_kt /etc/krb5/krb5.keytab
slot KVNO Principal
---- ---- ---------------------------------------
1 5 host/denver@EXAMPLE.COM ktutil:
Are there any good walkthroughs that come close?
This one comes very close, but I’m still having trouble getting it working.