[Cialug] apache2 authentication with Windows PDC

Tim Champion timchampion at gmail.com
Thu Dec 2 13:36:49 CST 2010 

Ok, I'm going to try the Kerberos way.  It may take me a bit - I gotta find
something to eat here :)   I already have mod_auth_kerb showing up on my
phpinfo(), so that's one thing down   w00t

Tim Champion
timchampion at gmail.com


On Thu, Dec 2, 2010 at 1:30 PM, Jeffrey Ollie <jeff at ocjtech.us> wrote:

> On Thu, Dec 2, 2010 at 1:21 PM, Christopher R. Rhodes
> <arreyder at apache.org> wrote:
> >
> >> Chris -  You mentioned Kerberos authentication.  Correct me if I'm
> >> wrong, but from what you described, it looks like you would have to
> >> export that keytab file every time a user changes.  The goal I'm trying
> >> to reach here is if a user is terminated on the PDC, that user would
> >> immediatly lose access to the directory in question on the web server.
> >> I don't want a process to export a file.  Maybe that's not what you are
> >> suggesting, and if not, please correct me.
> >>
> >
> > Nope, the user you create and it's keytab is just to represent/identify
> the service.  You can disable logins for it.  It
> > should never change.  Any AD user in the correct group will be able to
> auth against that service.   It's not really a
> > "real" user it's more of a service account.  It works wonderfully.  I've
> been using it for years in a very big way to
> > provide SSO for windows users to some of our internal applications.
> >
> >
> > They AD keytab business looks something like this:
> >
> > ktpass -princ HTTP/fqdn-of-webserver.domain.com at SOME>REALM.COM
> >  -mapuser apache-kerberos-user -crypto rc4-hmac-nt
> >  -ptype KRB5_NT_SRV_HST -pass SECRET_PASSWORD_GOES_HERE
> >  -out c:\apache.keytab
>
> +1 on the Kerberos authentication.  It works great for me at work and
> if you're using IE as the browser you won't even have to enter a
> username/password.
>
> The only issue that I have had is that I needed to make sure that my
> Kerberos service principal used the fully qualified hostname of the
> server rather than whatever hostname the web site was using (which
> could be different depending on if you are using virtual hosts).  The
> only other thing that Kerberos authentication won't do for you is to
> limit access to groups of AD users.
>
> --
> Jeff Ollie
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20101202/35e19b0f/attachment.htm

More information about the Cialug mailing list