Not logged in. · Lost password · Register
Forum: General Help and Support Server Setup RSS
Apache + Kerberos + SSO
anqk #1
Member for 3 months · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + SSO
Hi all

I have issues with automatic login. I just can not get into the Wiki without entering a password. I have no idea anymore. I have double checked if there is any thread in this forum and I have also checked lots of Google links and by now I think, I have everything in place to get this working, however I can only login by entering correct AD credentials => I get a login form instead of automatic login.

Let's assume the following:

- Domain is AA.BB.CH
- Wiki is accessible through (note, that it is not or something similar, but that should not matter anyway).
- Internet Explorer is our internal standard. The settings are as described in the howtos.

For reasons of privacy I obfuscated the sensitive parts in <> (case-sensitive).

  default = FILE:/var/log/krb5/krb5.log
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/krb5admin_server.log

  default_ccache_name = FILE:/var/log/apache2/krb5cc_%{uid}
  default_realm = AA.BB.CH
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  default_keytab_name = /etc/apache2/conf.d/<KEYTAB>

  AA.BB.CH = {
    kdc = <DC1>
    kdc = <DC2>
    admin_server = <DC1>
    default_domain =

[domain_realm] = AA.BB.CH  = AA.BB.CH  = AA.BB.CH = AA.BB.CH = AA.BB.CH

  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

I can get a ticket using kinit <MY_USER>, so basic communication with AD works.

Apache 2.4 Linux

# Kerberos Auth
AuthType Kerberos
AuthName AA.BB.CH
KrbAuthRealms AA.BB.CH
KrbServiceName HTTP
Krb5Keytab /etc/apache2/conf.d/<KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Require valid-user


Wiki local.protected.php

// proxy settings
$conf['proxy']['host']                                  = '<PROXY>';
$conf['proxy']['port']                                  = 8080;


$conf['superuser']                                        = '@<WIKI_ADMINS>';
$conf['manager']                                          = '@<WIKI_ADMINS>';
$conf['authtype']                                          = 'authad';
$conf['plugin']['authad']['account_suffix']       = '';
$conf['plugin']['authad']['base_dn']                = 'OU=BLA,DC=aa,DC=bb,DC=ch';
$conf['plugin']['authad']['domain_controllers'] = '<DC1>,<DC2>';
$conf['plugin']['authad']['admin_username']    = '<ADMIN>';
$conf['plugin']['authad']['admin_password']     = '<PASSWORD>';
$conf['plugin']['authad']['sso']                        = 1;
$conf['plugin']['authad']['real_primarygroup']   = 1;
$conf['plugin']['authad']['debug']                     = 1;
$conf['plugin']['authad']['recursive_groups']      = 1;
$conf['plugin']['authad']['expirywarn']              = 0;


As I am able to login manually with an AD user, I assume the basic configuration works, but the SSO part does not. Altough I am pretty sure, that all of the configuration is correct and should work according to all the resources I have read.

Did I miss something or do you see an error?

Any help is appreciated.

Best regards
anqk #2
Member for 3 months · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + Smartcard + SSO
Well, I am able to log in with Kerberos using AD credentials using the mentioned configuration, because I used the wrong user, which does have a certificate, but no password. So Kerberos authentification seems to work. There is additional complexity with the smartcard with a certificate on it and it seems that there is no solution to cover this. I would probably need a combination of the authad and smartcard plugins, however the SSO part will probably still not work.

If we had Apache < 2.4 we would be able to implement NTLM over Apache like it is described in This is what we actually had before the servers were upgraded, where Apache was upgraded from 2.2. to 2.4.

As I do not want to hassle with this anymore, I just decided to create the ~100 users once and do updates and modifications manually.
Exzellius #3
Member for 3 months · 25 posts · Location: Bamberg
Group memberships: Members
Show profile · Link to this post

if you want to use 2 auth plugins at once, I can recommend the plugin authchained

here you can configure multiple auth sources that need to be available

don't know if this helps

Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-04-20, 01:03:15 (UTC +02:00)