Not logged in. · Lost password · Register
Forum: General Help and Support Server Setup RSS
Apache + Kerberos + SSO
Avatar
anqk #1
Member for 3 months · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + SSO
Hi all

I have issues with automatic login. I just can not get into the Wiki without entering a password. I have no idea anymore. I have double checked if there is any thread in this forum and I have also checked lots of Google links and by now I think, I have everything in place to get this working, however I can only login by entering correct AD credentials => I get a login form instead of automatic login.

Let's assume the following:

- Domain is AA.BB.CH
- Wiki is accessible through wiki.intranet.cc.ch (note, that it is not wiki.aa.bb.ch or something similar, but that should not matter anyway).
- Internet Explorer is our internal standard. The settings are as described in the howtos.

For reasons of privacy I obfuscated the sensitive parts in <> (case-sensitive).

/etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5/krb5.log
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/krb5admin_server.log

[libdefaults]
  default_ccache_name = FILE:/var/log/apache2/krb5cc_%{uid}
  default_realm = AA.BB.CH
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  default_keytab_name = /etc/apache2/conf.d/<KEYTAB>

[realms]
  AA.BB.CH = {
    kdc = <DC1>
    kdc = <DC2>
    admin_server = <DC1>
    default_domain = aa.bb.ch
  }

[domain_realm]
  wiki.intranet.cc.ch = AA.BB.CH
  .aa.bb.ch  = AA.BB.CH
  aa.bb.ch  = AA.BB.CH
  .intranet.cc.ch = AA.BB.CH
  intranet.cc.ch = AA.BB.CH

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

I can get a ticket using kinit <MY_USER>, so basic communication with AD works.

Apache 2.4 Linux
...

# Kerberos Auth
AuthType Kerberos
AuthName AA.BB.CH
KrbAuthRealms AA.BB.CH
KrbServiceName HTTP
Krb5Keytab /etc/apache2/conf.d/<KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Require valid-user

...

Wiki local.protected.php
...

// proxy settings
$conf['proxy']['host']                                  = '<PROXY>';
$conf['proxy']['port']                                  = 8080;

...

$conf['superuser']                                        = '@<WIKI_ADMINS>';
$conf['manager']                                          = '@<WIKI_ADMINS>';
$conf['authtype']                                          = 'authad';
$conf['plugin']['authad']['account_suffix']       = '@aa.bb.ch';
$conf['plugin']['authad']['base_dn']                = 'OU=BLA,DC=aa,DC=bb,DC=ch';
$conf['plugin']['authad']['domain_controllers'] = '<DC1>,<DC2>';
$conf['plugin']['authad']['admin_username']    = '<ADMIN>';
$conf['plugin']['authad']['admin_password']     = '<PASSWORD>';
$conf['plugin']['authad']['sso']                        = 1;
$conf['plugin']['authad']['real_primarygroup']   = 1;
$conf['plugin']['authad']['debug']                     = 1;
$conf['plugin']['authad']['recursive_groups']      = 1;
$conf['plugin']['authad']['expirywarn']              = 0;

...

As I am able to login manually with an AD user, I assume the basic configuration works, but the SSO part does not. Altough I am pretty sure, that all of the configuration is correct and should work according to all the resources I have read.

Did I miss something or do you see an error?

Any help is appreciated.

Best regards
Avatar
anqk #2
Member for 3 months · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + Smartcard + SSO
Well, I am able to log in with Kerberos using AD credentials using the mentioned configuration, because I used the wrong user, which does have a certificate, but no password. So Kerberos authentification seems to work. There is additional complexity with the smartcard with a certificate on it and it seems that there is no solution to cover this. I would probably need a combination of the authad and smartcard plugins, however the SSO part will probably still not work.

If we had Apache < 2.4 we would be able to implement NTLM over Apache like it is described in https://www.dokuwiki.org/plugin:authad. This is what we actually had before the servers were upgraded, where Apache was upgraded from 2.2. to 2.4.

As I do not want to hassle with this anymore, I just decided to create the ~100 users once and do updates and modifications manually.
Avatar
Exzellius #3
Member for 3 months · 25 posts · Location: Bamberg
Group memberships: Members
Show profile · Link to this post
Hi,

if you want to use 2 auth plugins at once, I can recommend the plugin authchained
Link: https://www.dokuwiki.org/plugin:authchained

here you can configure multiple auth sources that need to be available

don't know if this helps

Greetings
Dominik
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-04-20, 01:03:15 (UTC +02:00)