Not logged in. · Lost password · Register
Forum: General Help and Support Server Setup RSS
Apache + Kerberos + SSO
anqk #1
Member since Jan 2019 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + SSO
Hi all

I have issues with automatic login. I just can not get into the Wiki without entering a password. I have no idea anymore. I have double checked if there is any thread in this forum and I have also checked lots of Google links and by now I think, I have everything in place to get this working, however I can only login by entering correct AD credentials => I get a login form instead of automatic login.

Let's assume the following:

- Domain is AA.BB.CH
- Wiki is accessible through (note, that it is not or something similar, but that should not matter anyway).
- Internet Explorer is our internal standard. The settings are as described in the howtos.

For reasons of privacy I obfuscated the sensitive parts in <> (case-sensitive).

  default = FILE:/var/log/krb5/krb5.log
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/krb5admin_server.log

  default_ccache_name = FILE:/var/log/apache2/krb5cc_%{uid}
  default_realm = AA.BB.CH
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  default_keytab_name = /etc/apache2/conf.d/<KEYTAB>

  AA.BB.CH = {
    kdc = <DC1>
    kdc = <DC2>
    admin_server = <DC1>
    default_domain =

[domain_realm] = AA.BB.CH  = AA.BB.CH  = AA.BB.CH = AA.BB.CH = AA.BB.CH

  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

I can get a ticket using kinit <MY_USER>, so basic communication with AD works.

Apache 2.4 Linux

# Kerberos Auth
AuthType Kerberos
AuthName AA.BB.CH
KrbAuthRealms AA.BB.CH
KrbServiceName HTTP
Krb5Keytab /etc/apache2/conf.d/<KEYTAB>
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping on
KrbAuthoritative on
KrbVerifyKDC on
Require valid-user


Wiki local.protected.php

// proxy settings
$conf['proxy']['host']                                  = '<PROXY>';
$conf['proxy']['port']                                  = 8080;


$conf['superuser']                                        = '@<WIKI_ADMINS>';
$conf['manager']                                          = '@<WIKI_ADMINS>';
$conf['authtype']                                          = 'authad';
$conf['plugin']['authad']['account_suffix']       = '';
$conf['plugin']['authad']['base_dn']                = 'OU=BLA,DC=aa,DC=bb,DC=ch';
$conf['plugin']['authad']['domain_controllers'] = '<DC1>,<DC2>';
$conf['plugin']['authad']['admin_username']    = '<ADMIN>';
$conf['plugin']['authad']['admin_password']     = '<PASSWORD>';
$conf['plugin']['authad']['sso']                        = 1;
$conf['plugin']['authad']['real_primarygroup']   = 1;
$conf['plugin']['authad']['debug']                     = 1;
$conf['plugin']['authad']['recursive_groups']      = 1;
$conf['plugin']['authad']['expirywarn']              = 0;


As I am able to login manually with an AD user, I assume the basic configuration works, but the SSO part does not. Altough I am pretty sure, that all of the configuration is correct and should work according to all the resources I have read.

Did I miss something or do you see an error?

Any help is appreciated.

Best regards
anqk #2
Member since Jan 2019 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: Apache + Kerberos + Smartcard + SSO
Well, I am able to log in with Kerberos using AD credentials using the mentioned configuration, because I used the wrong user, which does have a certificate, but no password. So Kerberos authentification seems to work. There is additional complexity with the smartcard with a certificate on it and it seems that there is no solution to cover this. I would probably need a combination of the authad and smartcard plugins, however the SSO part will probably still not work.

If we had Apache < 2.4 we would be able to implement NTLM over Apache like it is described in This is what we actually had before the servers were upgraded, where Apache was upgraded from 2.2. to 2.4.

As I do not want to hassle with this anymore, I just decided to create the ~100 users once and do updates and modifications manually.
Exzellius #3
Member since Jan 2019 · 26 posts · Location: Bamberg
Group memberships: Members
Show profile · Link to this post

if you want to use 2 auth plugins at once, I can recommend the plugin authchained

here you can configure multiple auth sources that need to be available

don't know if this helps

Exzellius #4
Member since Jan 2019 · 26 posts · Location: Bamberg
Group memberships: Members
Show profile · Link to this post
Subject: same problem, no smartcard
Hey there,

I wanted to activate SSO for my wiki and ran into the same issue that anqk described (except the smartcard):
authentication via kerberos is working, SSO is not :(

I am running the current stable release Greebo
I am running authchained as I need authad & authplain to work unisono, authad is preferred
browser-config seems to be ok

    # "dns_canonicalize_hostname" and "rdns" are better set to false for improved security.
    # If set to true, the canonicalization mechanism performed by Kerberos client may
    # allow service impersonification, the consequence is similar to conducting TLS certificate
    # verification without checking host name.
    # If left unspecified, the two parameters will have default value true, which is less secure.
#    dns_canonicalize_hostname = false
#    rdns = false
    default_realm = AA.BB.CC
    dns_lookup_kdc = true
    forwardable = true


[domain_realm] = AA.BB.CC = AA.BB.CC

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log

 * Protected settings
 * Do override DokuWiki default settings and local settings from Config Manager

$conf['useacl']         = 1;
$conf['authtype']       = 'authchained';

$conf['plugin']['authad']['account_suffix']     = '';
$conf['plugin']['authad']['base_dn']            = 'DC=aa,DC=bb,DC=cc';
$conf['plugin']['authad']['domain_controllers'] = ',';

#$conf['plugin']['authad']['ad_username']        = 'USER';
#$conf['plugin']['authad']['ad_password']        = 'PASSWORD';
$conf['plugin']['authad']['sso']                = 1;
$conf['plugin']['authad']['admin_username']                = 'USER';
$conf['plugin']['authad']['admin_password']                = 'PASSWORD';
$conf['plugin']['authad']['use_ssl']            = 1;
$conf['plugin']['authad']['debug']              = 1;
$conf['plugin']['authad']['recursive_groups']   = 1;

# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:>

<IfDefine SSL>
        <IfDefine !NOSSL>
                        DocumentRoot "/srv/www/htdocs/"
                        ErrorLog /var/log/apache2/error_log
                        TransferLog /var/log/apache2/access_log
                        SSLEngine on
                        SSLProtocol all -SSLv2 -SSLv3
                        SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
                        SSLCertificateFile /etc/apache2/Zertifikate/hostname.crt
                        SSLCertificateKeyFile /etc/apache2/Zertifikate/hostname.key
                        SSLCertificateChainFile /etc/apache2/Zertifikate/hostname_chain.crt
                        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
                                SSLOptions +StdEnvVars
                        <Directory "/srv/www/cgi-bin">
                                SSLOptions +StdEnvVars
                        CustomLog /var/log/apache2/ssl_request_log   ssl_combined

                        <Location /srv/www/htdocs>
                                AuthType Kerberos
                                AuthName "Kerberos"
                                KrbAuthRealms AA.BB.CC
                                KrbServiceName HTTPS/HOSTNAME@AA.BB.CC
                                Krb5Keytab /srv/www/htdocs/dokuwiki/krb5.keytab
                                KrbMethodNegotiate On
                                KrbMethodK5Passwd On
                                KrbSaveCredentials On
                                require valid-user


any ideas why SSO might not be working?

Thanks in advance
FosseWay #5
Member since May 2016 · 118 posts · Location: Canada
Group memberships: Members
Show profile · Link to this post
Getting SSO + Kerberos to work on a corporate wiki was a real struggle for me too, but I finally achieved it. Please check this thread where both I and at least one other user posted our issues and the eventual solution to see if it helps you. Let us know how you get on.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-06-24, 11:49:01 (UTC +02:00)