I have recently started to experiment with getting a linux webserver to allow for Active Directory users to connect with their own username passed to the web server.<\/p>\n\n\n\n
This is proving to be very difficult. It shouldn’t be that hard to get the username in the linux server for the windows intranet user that is connecting.<\/p>\n\n\n\n
One of the challenges is that there are so many variables to consider. Version of OS, Version of apache. <\/p>\n\n\n\n
I’m currently using Centos 8.1. I was able to determine this because I did the install, but if you did it a while ago, or did several other servers since then and you are not sure what version you are on, then use this command.<\/p>\n\n\n\n
https:\/\/linuxconfig.org\/how-to-check-centos-version<\/a><\/p>\n\n\n\n cat \/etc\/centos-release<\/strong><\/p>\n\n\n\n CentOS Linux release 8.1.1911 (Core)<\/p>\n\n\n\n httpd -v<\/strong><\/p>\n\n\n\n Server version: Apache\/2.4.37 (centos) This might not be correct, but all indicators seem to point to this.<\/p>\n\n\n\n I have gone down a lot of rabbit holes. I don’t know whether every avenue that I explored is necessary or not.<\/p>\n\n\n\n https:\/\/computingforgeeks.com\/install-apache-with-ssl-http2-on-rhel-centos\/<\/a><\/p>\n\n\n\n The http:\/\/www.jfcarter.net\/~jimc\/documents\/bugfix\/41-auth-kerb.html<\/a><\/p>\n\n\n\n Apache2-mod_auth_kerb Is Dead, Use Mod_auth_gssapi<\/p>\n\n\n\n https:\/\/jaosorior.dev\/2018\/keberos-for-keystone-with-mod_auth_gssapi\/<\/a><\/p>\n\n\n\n https:\/\/github.com\/gssapi\/mod_auth_gssapi<\/a><\/p>\n\n\n\n I do not want Web Application logon, I want HTTP Auth to populate the user variable so that the user does not need to enter their username as long as they are logged into their windows machine. <\/p>\n\n\n\n http:\/\/httpd.apache.org\/docs\/current\/howto\/auth.html<\/a><\/p>\n\n\n\n I sure hope not! Still looking into this.<\/p>\n\n\n\n http:\/\/modauthkerb.sourceforge.net\/configure.html<\/a><\/p>\n\n\n\n I probably should read this page, but I’m not ready to understand that yet…<\/p>\n\n\n\n https:\/\/sssd.io\/docs\/users\/ldap_with_ad.html<\/a><\/p>\n\n\n\n This is still a big mystery to me… I believe that HTTP is for the web server authentication and HOST is for users on the machine. I’m concerned with HTTP authentication.<\/p>\n\n\n\n https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-r2-and-2012\/cc731241(v=ws.11)<\/a><\/p>\n\n\n\n A Service Principal Name (SPN<\/strong>) is a name in Active Directory<\/strong> that a client uses to uniquely identify an instance of a service. An SPN<\/strong> combines a service name with a computer and user account to form a type of service ID.<\/p>\n\n\n\n https:\/\/github.com\/nidem\/kerberoast\/blob\/master\/GetUserSPNs.vbs<\/a><\/p>\n\n\n\n Yes. This script works.<\/p>\n\n\n\n This may be a bit early, but I’ll move it later. The keytab file can be viewed on Linux using ktutil.<\/p>\n\n\n\n The command to start ktutil to get to the ktutil prompt.<\/p>\n\n\n\n https:\/\/docs.oracle.com\/cd\/E19683-01\/806-4078\/6jd6cjs1q\/index.html<\/a><\/p>\n\n\n\n Are there any good walkthroughs that come close?<\/p>\n\n\n\n https:\/\/imatviyenko.github.io\/blog\/2018\/09\/11\/Apache-AD-kerberos<\/a><\/p>\n\n\n\n This one comes very close, but I’m still having trouble getting it working.<\/p>\n\n\n\n https:\/\/serverfault.com\/questions\/680289\/kerberos-kdc-has-no-support-for-encryption-type-while-getting-credentials<\/a><\/p>\n\n\n\n https:\/\/stackoverflow.com\/questions\/23801169\/kdc-has-no-support-for-encryption-type-14<\/a><\/p>\n\n\n\n https:\/\/docs.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/ktpass<\/a><\/p>\n\n\n\n https:\/\/active-directory-wp.com\/docs\/Networking\/Single_Sign_On\/Kerberos_SSO_with_Apache_on_Linux.html<\/a><\/p>\n\n\n\n https:\/\/community.spiceworks.com\/how_to\/91377-implementing-single-sign-on-on-windows-with-apache<\/a><\/p>\n\n\n\n https:\/\/github.com\/nextcloud\/user_saml\/issues\/250<\/a><\/p>\n\n\n\n https:\/\/httpd.apache.org\/docs\/2.4\/mod\/mod_auth_form.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" I have recently started to experiment with getting a linux webserver to allow for Active Directory users to connect with their own username passed to the web server. This is proving to be very difficult. It shouldn’t be that hard to get the username in the linux server for the windows intranet user that is … Continue reading “Apache – AD – Linux”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-348","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/posts\/348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/comments?post=348"}],"version-history":[{"count":19,"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/posts\/348\/revisions"}],"predecessor-version":[{"id":375,"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/posts\/348\/revisions\/375"}],"wp:attachment":[{"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/media?parent=348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/categories?post=348"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.polysyncronism.com\/wordpress\/wp-json\/wp\/v2\/tags?post=348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What is my Apache version?<\/h2>\n\n\n\n
Server built: Sep 15 2020 15:41:16<\/p>\n\n\n\nWhat Apache modules are needed for HTTP Authentication?<\/h2>\n\n\n\n
mod_auth_kerb<\/strong><\/code> module has been replaced by the mod_auth_gssapi<\/strong><\/code> module.<\/p>\n\n\n\nWhere can I find documentation for mod_auth_gssapi?<\/h2>\n\n\n\n
What is the difference between HTTP Auth and Web Application Login?<\/h2>\n\n\n\n
What does the Apache Documenation say about Authentication and Authorization?<\/h2>\n\n\n\n
Do I really need SSL in order to get the AD username on the web server?<\/h2>\n\n\n\n
A very dark place…<\/h2>\n\n\n\n
What is the difference between HOST and HTTP Service Principals?<\/h2>\n\n\n\n
What is SetSpn for Windows Active Directory?<\/h2>\n\n\n\n
What is a Active Directory SPN?<\/h2>\n\n\n\n
How can I use VBScript to list all my SPNs?<\/h2>\n\n\n\n
How to Display the Keylist (Principals) in a Keytab File<\/h2>\n\n\n\n
denver # \/usr\/bin\/ktutil\nktutil: read_kt \/etc\/krb5\/krb5.keytab \nktutil: list\nslot KVNO Principal \n---- ---- ---------------------------------------\n 1 5 host\/denver@EXAMPLE.COM ktutil: \nquit<\/pre>\n\n\n\n
Troubleshooting <\/h2>\n\n\n\n
What encryption types can windows do?<\/h2>\n\n\n\n
Random kerberos links<\/h2>\n\n\n\n
If I cannot get SSO working, I’ll use a logon page… :\/<\/h2>\n\n\n\n