[Cialug] apache2 authentication with Windows PDC
Christopher R. Rhodes
arreyder at apache.org
Thu Dec 2 14:07:05 CST 2010
>
> The only issue that I have had is that I needed to make sure that my
> Kerberos service principal used the fully qualified hostname of the
> server rather than whatever hostname the web site was using (which
> could be different depending on if you are using virtual hosts). The
> only other thing that Kerberos authentication won't do for you is to
> limit access to groups of AD users.
>
Adding to what Jeff said, another big Gotcha with kerb is time sync. The user, the httpd server and the DC must all be
very close on their clocks or the ticket will not be valid. NTPD takes the worry out of that.
crr
arreyder at apache.org
chris at ia.gov
More information about the Cialug
mailing list