I am new with this particular authentication through kerberos protocol and so i attempted to see lots of howto onto it but appears like I can not find any specifics with my constraints. Here's what I've :
- An Energetic Directory Server which customers authenticate to log to their work stations
- Each consumer uses IE 7 for connecting to my intranet application
- An Apache server with load balancing
- Some Tomcats servers serving as employees for that Apache server.
- on each tomcat, I've 2 jakarta servlet running, customers connect only on a single servlet (further i'll refer to it as the servlet as though there's just one)
- my tomcats have to run under jdk5. not jdk6 or jdk4. it's jdk5 period.
Now I would like someone to instantly get drenched on my small servlet. Essentially I simply need my servlet to retrieve the client's principal i quickly can manage the relaxation. According to things i understood, my client includes a ticket, he request the KDC for any special ticket for being able to access the apache server, he then attempts to connect with the Apache server. According to his keytab, the apache server then decode the auth data and grant/refuse the use of specified resource. Shall We Be Held right? please guide me through this, I have been reading through pages for 4 days but still not a clue which option would be the greater appropriate. I attempted mod_auth_kerberos for Apache but rather than getting anyone's ticket he request it just like a fundamental auth. Apparently spgneo
Ok I acquired this working :
Install Kerberos 5 + apache 2 + mod_auth_kerb. You AD, produced a keytab with just the principal you'll use for Apache, I personally use HTTP/apache.mydom.com@MYDOM.COM
Put this keytab file in your apache server making it readable only because of your Apache user. Then edit your apache conf with one of these directive for the secure location :
[…] ServerName apache.mydom.com:80 […] LoadModule auth_kerb_module modules/mod_auth_kerb.so […] <LocationMatch /secure)> [… some other stuff …] Order allow,deny Allow from all AuthType Kerberos AuthName "Authentification requise" KrbAuthRealms MYDOM.COM #this allows user to be saved in the request KrbSaveCredentials on #this one force Negotiate AuthType instead of basic fallback KrbMethodNegotiate on #this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user@MYDOM.COM" KrbLocalUserMapping on KrbAuthoritative on KrbVerifyKDC on Krb5Keytab /install/binaries/httpd/apache.keytab KrbServiceName HTTP require valid-user </LocationMatch>
And also the one factor I almost unsuccessful to locate on the internet, you need to modify your tomcat server config (tomcat/conf/server.xml) :
<Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>
This is actually important because without them you tomcat will not retrieve any info from tomcat auth. Remember too, DNS is actually really really vital for any Kerberos install. For those who have any problem try checking your DNS for all your servers.