Apache – AD – Linux

I have recently started to experiment with getting a linux webserver to allow for Active Directory users to connect with their own username passed to the web server.

This is proving to be very difficult. It shouldn’t be that hard to get the username in the linux server for the windows intranet user that is connecting.

One of the challenges is that there are so many variables to consider. Version of OS, Version of apache.

What is my linux version?

I’m currently using Centos 8.1. I was able to determine this because I did the install, but if you did it a while ago, or did several other servers since then and you are not sure what version you are on, then use this command.

https://linuxconfig.org/how-to-check-centos-version

cat /etc/centos-release

CentOS Linux release 8.1.1911 (Core)

What is my Apache version?

httpd -v

Server version: Apache/2.4.37 (centos)
Server built: Sep 15 2020 15:41:16

What Apache modules are needed for HTTP Authentication?

This might not be correct, but all indicators seem to point to this.

I have gone down a lot of rabbit holes. I don’t know whether every avenue that I explored is necessary or not.

https://computingforgeeks.com/install-apache-with-ssl-http2-on-rhel-centos/

The mod_auth_kerb module has been replaced by the mod_auth_gssapi module.

http://www.jfcarter.net/~jimc/documents/bugfix/41-auth-kerb.html

Apache2-mod_auth_kerb Is Dead, Use Mod_auth_gssapi

https://jaosorior.dev/2018/keberos-for-keystone-with-mod_auth_gssapi/

Where can I find documentation for mod_auth_gssapi?

https://github.com/gssapi/mod_auth_gssapi

What is the difference between HTTP Auth and Web Application Login?

I do not want Web Application logon, I want HTTP Auth to populate the user variable so that the user does not need to enter their username as long as they are logged into their windows machine.

What does the Apache Documenation say about Authentication and Authorization?

http://httpd.apache.org/docs/current/howto/auth.html

Do I really need SSL in order to get the AD username on the web server?

I sure hope not! Still looking into this.

A very dark place…

http://modauthkerb.sourceforge.net/configure.html

I probably should read this page, but I’m not ready to understand that yet…

What is the difference between HOST and HTTP Service Principals?

https://sssd.io/docs/users/ldap_with_ad.html

This is still a big mystery to me… I believe that HTTP is for the web server authentication and HOST is for users on the machine. I’m concerned with HTTP authentication.

What is SetSpn for Windows Active Directory?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)

What is a Active Directory SPN?

A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.

How can I use VBScript to list all my SPNs?

https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.vbs

Yes. This script works.

How to Display the Keylist (Principals) in a Keytab File

This may be a bit early, but I’ll move it later. The keytab file can be viewed on Linux using ktutil.

The command to start ktutil to get to the ktutil prompt.

https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjs1q/index.html

denver # /usr/bin/ktutil
ktutil: read_kt /etc/krb5/krb5.keytab 
ktutil: list
slot KVNO Principal 
---- ---- ---------------------------------------
 1 5 host/denver@EXAMPLE.COM ktutil: 
quit

Are there any good walkthroughs that come close?

https://imatviyenko.github.io/blog/2018/09/11/Apache-AD-kerberos

This one comes very close, but I’m still having trouble getting it working.

Troubleshooting

https://serverfault.com/questions/680289/kerberos-kdc-has-no-support-for-encryption-type-while-getting-credentials

https://stackoverflow.com/questions/23801169/kdc-has-no-support-for-encryption-type-14

What encryption types can windows do?

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

Random kerberos links

https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html

https://community.spiceworks.com/how_to/91377-implementing-single-sign-on-on-windows-with-apache

https://github.com/nextcloud/user_saml/issues/250

If I cannot get SSO working, I’ll use a logon page… :/

https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.