Not logged in. · Lost password · Register
Forum: General Help and Support Server Setup RSS
Apache + Kerberos + SSO
Avatar
anqk #1
Member since Jan 2019 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + SSO
Hi all

I have issues with automatic login. I just can not get into the Wiki without entering a password. I have no idea anymore. I have double checked if there is any thread in this forum and I have also checked lots of Google links and by now I think, I have everything in place to get this working, however I can only login by entering correct AD credentials => I get a login form instead of automatic login.

Let's assume the following:

- Domain is AA.BB.CH
- Wiki is accessible through wiki.intranet.cc.ch (note, that it is not wiki.aa.bb.ch or something similar, but that should not matter anyway).
- Internet Explorer is our internal standard. The settings are as described in the howtos.

For reasons of privacy I obfuscated the sensitive parts in <> (case-sensitive).

/etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5/krb5.log
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/krb5admin_server.log

[libdefaults]
  default_ccache_name = FILE:/var/log/apache2/krb5cc_%{uid}
  default_realm = AA.BB.CH
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  default_keytab_name = /etc/apache2/conf.d/<KEYTAB>

[realms]
  AA.BB.CH = {
    kdc = <DC1>
    kdc = <DC2>
    admin_server = <DC1>
    default_domain = aa.bb.ch
  }

[domain_realm]
  wiki.intranet.cc.ch = AA.BB.CH
  .aa.bb.ch  = AA.BB.CH
  aa.bb.ch  = AA.BB.CH
  .intranet.cc.ch = AA.BB.CH
  intranet.cc.ch = AA.BB.CH

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

I can get a ticket using kinit <MY_USER>, so basic communication with AD works.

Apache 2.4 Linux
...

# Kerberos Auth
AuthType Kerberos
AuthName AA.BB.CH
KrbAuthRealms AA.BB.CH
KrbServiceName HTTP
Krb5Keytab /etc/apache2/conf.d/<KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Require valid-user

...

Wiki local.protected.php
...

// proxy settings
$conf['proxy']['host']                                  = '<PROXY>';
$conf['proxy']['port']                                  = 8080;

...

$conf['superuser']                                        = '@<WIKI_ADMINS>';
$conf['manager']                                          = '@<WIKI_ADMINS>';
$conf['authtype']                                          = 'authad';
$conf['plugin']['authad']['account_suffix']       = '@aa.bb.ch';
$conf['plugin']['authad']['base_dn']                = 'OU=BLA,DC=aa,DC=bb,DC=ch';
$conf['plugin']['authad']['domain_controllers'] = '<DC1>,<DC2>';
$conf['plugin']['authad']['admin_username']    = '<ADMIN>';
$conf['plugin']['authad']['admin_password']     = '<PASSWORD>';
$conf['plugin']['authad']['sso']                        = 1;
$conf['plugin']['authad']['real_primarygroup']   = 1;
$conf['plugin']['authad']['debug']                     = 1;
$conf['plugin']['authad']['recursive_groups']      = 1;
$conf['plugin']['authad']['expirywarn']              = 0;

...

As I am able to login manually with an AD user, I assume the basic configuration works, but the SSO part does not. Altough I am pretty sure, that all of the configuration is correct and should work according to all the resources I have read.

Did I miss something or do you see an error?

Any help is appreciated.

Best regards
Avatar
anqk #2
Member since Jan 2019 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + Smartcard + SSO
Well, I am able to log in with Kerberos using AD credentials using the mentioned configuration, because I used the wrong user, which does have a certificate, but no password. So Kerberos authentification seems to work. There is additional complexity with the smartcard with a certificate on it and it seems that there is no solution to cover this. I would probably need a combination of the authad and smartcard plugins, however the SSO part will probably still not work.

If we had Apache < 2.4 we would be able to implement NTLM over Apache like it is described in https://www.dokuwiki.org/plugin:authad. This is what we actually had before the servers were upgraded, where Apache was upgraded from 2.2. to 2.4.

As I do not want to hassle with this anymore, I just decided to create the ~100 users once and do updates and modifications manually.
Avatar
Exzellius #3
Member since Jan 2019 · 26 posts · Location: Bamberg
Group memberships: Members
Show profile · Link to this post
Hi,

if you want to use 2 auth plugins at once, I can recommend the plugin authchained
Link: https://www.dokuwiki.org/plugin:authchained

here you can configure multiple auth sources that need to be available

don't know if this helps

Greetings
Dominik
Avatar
Exzellius #4
Member since Jan 2019 · 26 posts · Location: Bamberg
Group memberships: Members
Show profile · Link to this post
Subject: same problem, no smartcard
Hey there,

I wanted to activate SSO for my wiki and ran into the same issue that anqk described (except the smartcard):
authentication via kerberos is working, SSO is not :(

I am running the current stable release Greebo
I am running authchained as I need authad & authplain to work unisono, authad is preferred
browser-config seems to be ok

Config-Files:
/etc/krb5.conf
[libdefaults]
    # "dns_canonicalize_hostname" and "rdns" are better set to false for improved security.
    # If set to true, the canonicalization mechanism performed by Kerberos client may
    # allow service impersonification, the consequence is similar to conducting TLS certificate
    # verification without checking host name.
    # If left unspecified, the two parameters will have default value true, which is less secure.
#    dns_canonicalize_hostname = false
#    rdns = false
    default_realm = AA.BB.CC
    dns_lookup_kdc = true
    forwardable = true

[realms]

[domain_realm]
.aa.bb.cc = AA.BB.CC
aa.bb.cc = AA.BB.CC

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

/srv/www/htdocs/dokuwiki/conf/local.protected.php
<?php
/**
 * Protected settings
 * Do override DokuWiki default settings and local settings from Config Manager
 */

$conf['useacl']         = 1;
$conf['authtype']       = 'authchained';

$conf['plugin']['authad']['account_suffix']     = '@aa.bb.cc';
$conf['plugin']['authad']['base_dn']            = 'DC=aa,DC=bb,DC=cc';
$conf['plugin']['authad']['domain_controllers'] = 'DC1.aa.bb.cc, DC2.aa.bb.cc';

#$conf['plugin']['authad']['ad_username']        = 'USER';
#$conf['plugin']['authad']['ad_password']        = 'PASSWORD';
$conf['plugin']['authad']['sso']                = 1;
$conf['plugin']['authad']['admin_username']                = 'USER';
$conf['plugin']['authad']['admin_password']                = 'PASSWORD';
$conf['plugin']['authad']['use_ssl']            = 1;
$conf['plugin']['authad']['debug']              = 1;
$conf['plugin']['authad']['recursive_groups']   = 1;
date_default_timezone_set("Europe/Berlin");

/etc/apache2/vhosts.d/hostname.conf
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>

<IfDefine SSL>
        <IfDefine !NOSSL>
                <VirtualHost hostname.aa.bb.cc:443>
                        DocumentRoot "/srv/www/htdocs/"
                        ErrorLog /var/log/apache2/error_log
                        TransferLog /var/log/apache2/access_log
                        SSLEngine on
                        SSLProtocol all -SSLv2 -SSLv3
                        SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
                        SSLCertificateFile /etc/apache2/Zertifikate/hostname.crt
                        SSLCertificateKeyFile /etc/apache2/Zertifikate/hostname.key
                        SSLCertificateChainFile /etc/apache2/Zertifikate/hostname_chain.crt
                        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                                SSLOptions +StdEnvVars
                        </Files>
                        <Directory "/srv/www/cgi-bin">
                                SSLOptions +StdEnvVars
                        </Directory>
                        CustomLog /var/log/apache2/ssl_request_log   ssl_combined


                        <Location /srv/www/htdocs>
                                AuthType Kerberos
                                AuthName "Kerberos"
                                KrbAuthRealms AA.BB.CC
                                KrbServiceName HTTPS/HOSTNAME@AA.BB.CC
                                Krb5Keytab /srv/www/htdocs/dokuwiki/krb5.keytab
                                KrbMethodNegotiate On
                                KrbMethodK5Passwd On
                                KrbSaveCredentials On
                                require valid-user
                        </Location>


                </VirtualHost>
        </IfDefine>
</IfDefine>

any ideas why SSO might not be working?

Thanks in advance
Dominik
Avatar
FosseWay #5
Member since May 2016 · 118 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
Getting SSO + Kerberos to work on a corporate wiki was a real struggle for me too, but I finally achieved it. Please check this thread where both I and at least one other user posted our issues and the eventual solution to see if it helps you. Let us know how you get on.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-08-21, 22:58:11 (UTC +02:00)