[Cialug] apache2 authentication with Windows PDC

[Jeffrey Ollie]

On Thu, Dec 2, 2010 at 1:21 PM, Christopher R. Rhodes
<arreyder at apache.org> wrote:
>
>> Chris -  You mentioned Kerberos authentication.  Correct me if I'm
>> wrong, but from what you described, it looks like you would have to
>> export that keytab file every time a user changes.  The goal I'm trying
>> to reach here is if a user is terminated on the PDC, that user would
>> immediatly lose access to the directory in question on the web server.
>> I don't want a process to export a file.  Maybe that's not what you are
>> suggesting, and if not, please correct me.
>>
>
> Nope, the user you create and it's keytab is just to represent/identify the service.  You can disable logins for it.  It
> should never change.  Any AD user in the correct group will be able to auth against that service.   It's not really a
> "real" user it's more of a service account.  It works wonderfully.  I've been using it for years in a very big way to
> provide SSO for windows users to some of our internal applications.
>
>
> They AD keytab business looks something like this:
>
> ktpass -princ HTTP/fqdn-of-webserver.domain.com at SOME>REALM.COM
>  -mapuser apache-kerberos-user -crypto rc4-hmac-nt
>  -ptype KRB5_NT_SRV_HST -pass SECRET_PASSWORD_GOES_HERE
>  -out c:\apache.keytab

+1 on the Kerberos authentication.  It works great for me at work and
if you're using IE as the browser you won't even have to enter a
username/password.

The only issue that I have had is that I needed to make sure that my
Kerberos service principal used the fully qualified hostname of the
server rather than whatever hostname the web site was using (which
could be different depending on if you are using virtual hosts).  The
only other thing that Kerberos authentication won't do for you is to
limit access to groups of AD users.

-- 
Jeff Ollie