Kerberos authetication against multiple Windows Domains
Markus Moeller
huaraz at moeller.plus.com
Tue Mar 24 20:04:01 EDT 2009
"Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message
news:3154FEBCFB92804DA39A2560E17183760341FE80 at ukaprdembx02.rd.astrazeneca.net...
> Hello,
>
> I'm after some advice on how to configure Kerberos v5 to authenticate
> users from different Windows domains to the same Apache hosted
> application. Is this possible? If so, is there a simple guide on what
> needs to be done in order to achieve it that can be shared with me?
>
> I have Kerberos v5 installed with a Kerberos-capable version of Apache on
> AIX 5.3.
> I have had a keytab file generated in the Windows "EU" domain, and have
> configured the server so the application authenticates users from the "EU"
> domain.
>
> /etc/krb5.conf is similar to:
>
> [libdefaults]
> default_realm = EU.COMPANY.NET
>
> [realms]
> EU.COMPANY.NET = {
> kdc = eudc01.eu.company.net
> admin_server = eudc01.eu.company.net
> default_domain = eu.company.net
> }
>
> [domain_realm]
> .svr_domain.company.net = EU.COMPANY.NET
> svr_domain.company.net = EU.COMPANY.NET
>
> What do I need to do in order to also authenticate users from the
> companies "US" domain, which is controlled by separate domain
> controller(s), to the application?
>
If the domains have a trust you son't need to do anything. If they don't
have trust then you need to create a second keytab entry for the host in the
US DC with a sceond DNS name.
e.g. In the EU domain the server is server.eu.company.net with a key
HTTP/server.eu.company.net at EU.COMPANY.NET in eudc01 and in the US domain the
sever is server.us.company.net with a key
HTTP/server.us.company.net at US.COMPANY.NET in usdc01.
Merge both keys in one keytab for apache and configure the apache kerbereos
module to accept all names (I think it is KrbServiceName Any in
mod-auth-kerb)
> Any help anyone can give me would be very greatfully received.
>
> Regards,
> Kevan Earl
>
Regards
Markus
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with
> registered number: 03674842 and a registered office at 15 Stanhope Gate,
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain
> confidential, proprietary and legally privileged information. If you have
> received this message in error, please notify us and remove it from your
> system and note that you must not copy, distribute or take any action in
> reliance on it. Any unauthorised use or disclosure of the contents of this
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception,
> non-delivery and unauthorised alterations. Therefore, information
> expressed in this message is not given or endorsed by AstraZeneca UK
> Limited unless otherwise notified by an authorised representative
> independent of this message. No contractual relationship is created by
> this message by any person unless specifically indicated by agreement in
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and
> content for the purposes of the prevention and detection of crime,
> ensuring the security of our computer systems and checking Compliance with
> our Code of Conduct and Policies.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list