Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   Apache + auth_mod_kerb + Active Directory = SSO (http://www.linux-archive.org/centos/296726-apache-auth_mod_kerb-active-directory-sso.html)

James Bensley 12-17-2009 08:46 AM

Apache + auth_mod_kerb + Active Directory = SSO
 
Hey List,

I have been setting up SSO on our Intranet Apache server. All seems
well, I think I have just about cracked it but it seems a little rough
around the edges;

I enabled auth_mod_kerb, and created a test directory in my web root
(/secure) and added a directory directive under the httpd.conf, I
created a user in Active Ditectory, used ktpass.exe to map the user to
the service principal and put the key tab on the Apache server and all
seems well.

I am testing this with FireFox and Internet Explorer (Both on Windows
XP Pro SP3 Client). FireFox works only with the FQDN of the Intranet
server (and not just http://hostname/secure, this gives an
authentication error), and only with our domain name set in
"network.negotiate-auth.delegation-uris" and in
"network.negotate-auth.trusted-uris".

Internet Explorer however only works with http://hostname/secure and
not f.q.d.n/secure? (Integrate with Windows Authentication IS
enabled).

Obviously as this point the reason I am posting here is because I am
trying to eliminate the reasons for this. If it is a client side
problem I need to seeks some more savvy IE/Windows users maybe but I
am posting here to enquire if anyone has any thoughts about it
possibly being DNS related or some sort of server misconfiguration?

uname -a
Linux hades.nr5project.co.uk 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1
09:19:18 EDT 2009 i686 i686 i386 GNU/Linux

Apache/2.2.11 (Unix) mod_auth_kerb/5.4 DAV/2 mod_ssl/2.2.11
OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4
Perl/v5.10.0

Thanks for reading.
--
Regards,
James ;)

Charles de Gaulle - "The better I get to know men, the more I find
myself loving dogs." -
http://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Kai Schaetzl 12-17-2009 10:36 AM

Apache + auth_mod_kerb + Active Directory = SSO
 
James Bensley wrote on Thu, 17 Dec 2009 09:46:00 +0000:

> Internet Explorer however only works with http://hostname/secure and
> not f.q.d.n/secure? (Integrate with Windows Authentication IS
> enabled).

That is because your FQDN is detected as Internet zone and that will not
use Windows Authentication (for obvious reasons). That authentication is
done only in the Local Intranet zone. You can see that if you look in the
security settings of IE. (Do not change them!)
IE should automatically detect that this FQDN is part of your Intranet
with the "automatically detect" setting if your AD is setup correctly. If
you can't make this work, you can disable the automatic detection and then
add FQDNs manually to the Local Intranet zone. Of course, this makes sense
only if you have a few machines.


Kai

--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 06:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.