kerberos authentication for apache on windows - Kerberos

This is a discussion on kerberos authentication for apache on windows - Kerberos ; Hello, I'm new to kerberos, and I want to know if the following configuration is possible: I have an Apache2 web server running on Windows 2003 Server, and I want to authenticate users with kerberos before they can access to ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: kerberos authentication for apache on windows

  1. kerberos authentication for apache on windows

    Hello,

    I'm new to kerberos, and I want to know if the following configuration is
    possible:

    I have an Apache2 web server running on Windows 2003 Server, and I want to
    authenticate users with kerberos before they can access to the web server
    content. The kdc service seems to be up and running on the Windows 2003 server.

    1/ how can I check that a client (Windows XP) that has just logged into the
    domain, has been given a TGT?

    Now I have to "kerberize" the Apache server. I found mod_auth_krb
    (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
    headers and libs for a Kerberos implementation.

    2/ Can I use Windows implementation to compile it? Or do I have to install
    another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
    build it?

    3/ How can I be sure only Kerberos is used (and not NTLM)?

    Thanks for any information.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: kerberos authentication for apache on windows

    Hi Julien,

    I have it working with the modgssapache module - although I'm not sure
    that apache module works on anything but Unix (I've used it on FreeBSD
    without problems).

    The nice thing about it, is that it supports single-sign-on - as I
    understand it, mod_auth_kerb does not.

    on 06/02/05 12:48 Julien ALLANOS wrote:
    > Hello,
    >
    > I'm new to kerberos, and I want to know if the following configuration is
    > possible:
    >
    > I have an Apache2 web server running on Windows 2003 Server, and I want to
    > authenticate users with kerberos before they can access to the web server
    > content. The kdc service seems to be up and running on the Windows 2003 server.
    >
    > 1/ how can I check that a client (Windows XP) that has just logged into the
    > domain, has been given a TGT?
    >
    > Now I have to "kerberize" the Apache server. I found mod_auth_krb
    > (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
    > headers and libs for a Kerberos implementation.
    >
    > 2/ Can I use Windows implementation to compile it? Or do I have to install
    > another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
    > build it?
    >
    > 3/ How can I be sure only Kerberos is used (and not NTLM)?
    >
    > Thanks for any information.


    --
    Regards,
    Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk
    PGP: 7E063C62/2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62

    "Those who do not understand Unix are condemned to reinvent it, poorly."
    --Henry Spencer
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: kerberos authentication for apache on windows

    Julien ALLANOS wrote:
    > Hello,
    >
    > I'm new to kerberos, and I want to know if the following configuration is
    > possible:
    >
    > I have an Apache2 web server running on Windows 2003 Server, and I want to
    > authenticate users with kerberos before they can access to the web server
    > content. The kdc service seems to be up and running on the Windows 2003 server.
    >
    > 1/ how can I check that a client (Windows XP) that has just logged into the
    > domain, has been given a TGT?


    If you want a visual indication, you can use:

    * the "klist" tool provided by Microsoft with Windows

    * the "kerbtray" tool provided by Microsoft in the Resource Kit

    * MIT Kerberos for Windows and its Leash Ticket Manager,

    > Now I have to "kerberize" the Apache server. I found mod_auth_krb
    > (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
    > headers and libs for a Kerberos implementation.
    >
    > 2/ Can I use Windows implementation to compile it? Or do I have to install
    > another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
    > build it?


    If you want to build an Apache module that uses the MIT Kerberos APIs,
    you can build the module against the SDK that is installed as a part of
    MIT Kerberos for Windows.

    Jeffrey Altman


    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

  4. Re: kerberos authentication for apache on windows

    Selon Jeffrey Altman :

    > Julien ALLANOS wrote:
    >> Hello,
    >>
    >> I'm new to kerberos, and I want to know if the following configuration is
    >> possible:
    >>
    >> I have an Apache2 web server running on Windows 2003 Server, and I want to
    >> authenticate users with kerberos before they can access to the web server
    >> content. The kdc service seems to be up and running on the Windows
    >> 2003 server.
    >>
    >> 1/ how can I check that a client (Windows XP) that has just logged into the
    >> domain, has been given a TGT?

    >
    > If you want a visual indication, you can use:
    >
    > * the "klist" tool provided by Microsoft with Windows
    >
    > * the "kerbtray" tool provided by Microsoft in the Resource Kit
    >
    > * MIT Kerberos for Windows and its Leash Ticket Manager,
    >
    >> Now I have to "kerberize" the Apache server. I found mod_auth_krb
    >> (http://modauthkerb.sourceforge.net/). To compile it for Windows, I need
    >> headers and libs for a Kerberos implementation.
    >>
    >> 2/ Can I use Windows implementation to compile it? Or do I have to install
    >> another Kerberos implementation (such as MIT for Windows 2.6.5) in order to
    >> build it?

    >
    > If you want to build an Apache module that uses the MIT Kerberos APIs,
    > you can build the module against the SDK that is installed as a part of
    > MIT Kerberos for Windows.
    >
    > Jeffrey Altman


    Thanks.

    I have installed kerbtray, and I can see the following tickets for
    MY.DOMAIN.COM:

    cifs/srv.my.domain.com
    krbtgt/MY.DOMAIN.COM (forwarded)
    krbtgt/MY.DOMAIN.COM (initial)
    ldap/srv.my.domain.com/my.domain.com

    So I suppose the krbtgt are the TGT. But why two tickets?

    I've succeed to build mod_spnego.so for Windows, using MIT kfw 2.6.5,
    fbopenssl,
    openssl and apache2. Then I've created a user in AD, and a
    corresponding keytab
    for HTTP/my.domain.com@MY.DOMAIN.COM.

    I'm using the following configuration for Apache:


    AuthType SPNEGO
    Krb5KeyTabFile conf/rp.HTTP.keytab
    Krb5ServiceName HTTP
    Require valid-user


    Here is a summary of an access to the web server:

    C -> GET / -> S
    C <- 401, WWW-Authenticate: Negotiate <- S

    C -> GET /, Authorization: Negotiate xxxxx -> S
    C <- 401 <- S

    Here are the last 3 lines of error.log:

    [Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
    entering
    authenticateUser
    [Thu Jun 02 15:39:42 2005] [info] [client 192.168.100.191] mod_spnego:
    Authorization value is "Negotiate xxxxxx"
    [Thu Jun 02 15:39:42 2005] [error] [client 192.168.100.191] mod_spnego:
    received
    type 1 NTLM token

    So what's wrong please? I really need to make Kerberos works, not NTLM.

    Thanks for any help.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: kerberos authentication for apache on windows

    Selon Klavs Klavsen :

    > Hi Julien,


    Hello,

    > I have it working with the modgssapache module - although I'm not sure
    > that apache module works on anything but Unix (I've used it on FreeBSD
    > without problems).


    This module is only for Apache 1. I need an Apache 2 module.
    >
    > The nice thing about it, is that it supports single-sign-on - as I
    > understand it, mod_auth_kerb does not.
    >


    What makes you telling this please? Any link? Thanks.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: kerberos authentication for apache on windows

    FYI, mod_spnego (which can be found at
    http://sourceforge.net/projects/modgssapache/) supports Apache 1.3 and 2.0
    on Linux, Solaris and Windows.

    Frank




    Julien ALLANOS
    Sent by: kerberos-bounces@mit.edu
    06/03/2005 08:13 AM

    To
    kerberos@mit.edu
    cc

    Subject
    Re: kerberos authentication for apache on windows






    Selon Klavs Klavsen :

    > Hi Julien,


    Hello,

    > I have it working with the modgssapache module - although I'm not sure
    > that apache module works on anything but Unix (I've used it on FreeBSD
    > without problems).


    This module is only for Apache 1. I need an Apache 2 module.
    >
    > The nice thing about it, is that it supports single-sign-on - as I
    > understand it, mod_auth_kerb does not.
    >


    What makes you telling this please? Any link? Thanks.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: kerberos authentication for apache on windows

    Klavs Klavsen wrote:
    > The nice thing about it, is that it supports single-sign-on - as I
    > understand it, mod_auth_kerb does not.


    If you mean the Negotiate authentication using SPNEGO/Kerberos,
    mod_auth_kerb does support it as well.

  8. Re: kerberos authentication for apache on windows

    On Wed, June 8, 2005 12:19, Daniel Kouril said:
    > Klavs Klavsen wrote:
    >> The nice thing about it, is that it supports single-sign-on - as I
    >> understand it, mod_auth_kerb does not.

    >
    > If you mean the Negotiate authentication using SPNEGO/Kerberos,
    > mod_auth_kerb does support it as well.


    That was what i meant. Thanks for clearing that up.

    --
    Klavs Klavsen

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread