[CentOS] Apache + auth_mod_kerb + Active Directory = SSO

James Bensley

jwbensley at gmail.com
Thu Dec 17 09:46:00 UTC 2009


Hey List,

I have been setting up SSO on our Intranet Apache server. All seems
well, I think I have just about cracked it but it seems a little rough
around the edges;

I enabled auth_mod_kerb, and created a test directory in my web root
(/secure) and added a directory directive under the httpd.conf, I
created a user in Active Ditectory, used ktpass.exe to map the user to
the service principal and put the key tab on the Apache server and all
seems well.

I am testing this with FireFox and Internet Explorer (Both on Windows
XP Pro SP3 Client). FireFox works only with the FQDN of the Intranet
server (and not just http://hostname/secure, this gives an
authentication error), and only with our domain name set in
"network.negotiate-auth.delegation-uris" and in
"network.negotate-auth.trusted-uris".

Internet Explorer however only works with http://hostname/secure and
not f.q.d.n/secure? (Integrate with Windows Authentication IS
enabled).

Obviously as this point the reason I am posting here is because I am
trying to eliminate the reasons for this. If it is a client side
problem I need to seeks some more savvy IE/Windows users maybe but I
am posting here to enquire if anyone has any thoughts about it
possibly being DNS related or some sort of server misconfiguration?

uname -a
Linux hades.nr5project.co.uk 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1
09:19:18 EDT 2009 i686 i686 i386 GNU/Linux

Apache/2.2.11 (Unix) mod_auth_kerb/5.4 DAV/2 mod_ssl/2.2.11
OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4
Perl/v5.10.0

Thanks for reading.
-- 
Regards,
James ;)

Charles de Gaulle  - "The better I get to know men, the more I find
myself loving dogs." -
http://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html



More information about the CentOS mailing list