Multiple Apache websites using Kerberos authentication (through the mod_auth_kerb module)

Michael B Allen ioplex at gmail.com
Fri Sep 11 15:31:57 EDT 2009 

On Fri, Sep 11, 2009 at 8:56 AM, Caron, Christian
<Christian.Caron at nrcan-rncan.gc.ca> wrote:
> Hi list,
>
> We have been successful in having users authenticate through the
> Kerberos mechanism on one website. The website has the same name and
> uses the same IP as the server itself (this is the name that was used to
> create the Service Principal account).
>
> When trying to use the same mechanism for a second website (different
> name, different IP, same physical server), it doesn't work.
>
> Is it possible to have only one Service Principal account and "attach"
> multiple websites to it and how can we achieve that? We would like to
> minimize the number of accounts in AD (if possible, only one per
> physical server).

Yes. Unfortunately because the MS ktpass.exe utilitiy is very simple,
it's not exactly easy.

But first, perhaps it is better to explain how this works. Then you
can actually make sense of the solution.

When a browser on an AD network authenticates with a website using
Kerberos, it goes something like this (this is mostly the same for a
non-AD Kerberos authority but most people are using AD so I'll
describe it with AD specific language):

1. Browser looks at the URL and derives a Service Principal Name
(SPN). For example, if the URL is http://www.example.com/ the SPN will
be HTTP/www.example.com at EXAMPLE.COM. This is just simple text
manipulation.

2. Browser asks AD for a "ticket" for that SPN. AD will search through
all accounts for one that has a servicePrincipalName attribute that
matches the supplied SPN. If one matches, it uses that account and
it's corresponding password to create and return the requested ticket.

3. Browser submits the ticket to the HTTP server which decodes it
(such as with mod_auth_kerb), looks at the SPN, key version number
(kvno) and encryption type and tries to locate a keytab file entry
that matches those three criteria exactly. If it finds one, it uses
that keytab entry to decrypt the ticket and in doing so authenticate
the client.

In your case, the relevant part is that the servicePrincipalName
attribute on AD accounts is multi-valued. So you can add any number of
SPNs to an account using either setspn.exe or ADSI Edit. AD will find
the account by any of those names. In fact, people frequently use both
long and short names like HTTP/as1.example.com and HTTP/as1 (note that
the actual servicePrincipalName attribute value does not include the
@EXAMPLE.COM domain part) so that people can authenticate with the
site using either http://as1/ as well as http://as1.example.com/.
Personally I think using the short names is a bad idea but it seems to
work and the short name does not require Intranet zone configuration
on the client browser.

Note that one thing to watch out for is that AD will fail to return a
ticket if the SPN requested is found on more than one account (because
it doesn't know which account to use). So be careful that you do not
accidentally create multiple service accounts with the same SPN.

Now for the bad news. As I stated, ktpass.exe is very simple. It only
generates a keytab with *one* entry. Uhg! So it will simply not do the
job. However, if you know the password, you can create a keytab
yourself using ktutil on a *nix machine with any number of entries. To
do that, first run ktpass.exe once and make a note of the output. In
particular you want to note the key version number (kvno), encryption
type and of course the password you entered. The encryption type might
displayed as a name whereas you will need to know the numeric value
for that name. Currently this is usally RC4 which I believe is 23 (I
don't remember off the top of my head). Now run ktutil on *nix and
create an entry for each SPN with the same password, encryption type
and kvno, save the keytab and use that with mod_auth_kerb.

There are also utilities that can set the password and generate a
keytab with multiple SPNs in one go. Also, professional software that
does Kerberos auth usually includes some capability to do all of this
for you. If you're using a bare-bones solution like mod_auth_kerb,
it's up to you to create a keytab.

Good luck,

Mike

-- 
Michael B Allen
PHP Active Directory Integration
http://www.ioplex.com/plexcel.html

More information about the Kerberos mailing list