I'm sharing another use case, "Kerberos + HEADER-based application SSO" implementation experience with Apache and Keberos module. There are times you end up working with a custom authentication & Single Sign-On solution to an application despite modern authentication mechanisms.
One such situation is providing seamless access to an application when accessing from an Active Directory domain-joined machine. It technically means leveraging the Kerberos token from the device and authenticates the user into the HEADER-based application.
Utilizing Apache web server, Kerberos module, and apache rules, we can provide a Single Sign-On experience to the users accessing the application from an AD domain-joined machine.
I am assuming that the Apache web server is installed, enabled mod_auth_kerb module, and configure the application to allow the REMOTE_USER header to login.
The first thing is to generate a keytab file for your Apache server using the ktpass command.
Example command:
ktpass -princ HTTP/<<HOSTNAME>>@<<DOMAIN>> -mapuser apache -crypto All -DesOnly -pass <<password>> -ptype KRB5_NT_PRINCIPAL -out apache.keytab
I had configured Apache 2.4.6 in RHEL 7.9 with the Kerberos module with the below VirtualHost to use auth_kerb_module and rules to read and set Request HEADER application in the "httpd" conf file.
<VirtualHost *.80 *.443>
ServerName <<ServerName>>
<Location />
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbServiceName HTTP/<<HOSTNAME>>@<<DOMAIN>>
KrbAuthRealms <<DOMAIN>>
Krb5KeyTab /etc/apache.keytab
KrbLocalUserMapping On
require valid-user
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
Header add X-Remote-User "%{RU}e" env=RU
RequestHeader set REMOTE_USER %{RU}e
</Location>
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://<<Application_HOST_NAME>>:<PORT>/
ProxyPassReverse / https://<<Application_HOST_NAME>>:<PORT>/
</VirtualHost>
Bounce the apache server and try to access the application from the AD joined machine.
Thanks
Siva Pokuri.
No comments:
Post a Comment