Configure Centrify Express with Apache’s mod_auth_kerb

I was lucky enough to spend the morning trying to get mod_auth_kerb working with our existing installation of Centrify without creating any additional SPNs.

It was actually very straight forward except for the missing component of the secret sauce, that’s not documented in many places.
Basically to get it to work perform the following on RedHat 6 (and CentOS 6):

yum install httpd
yum install mod_auth_kerb

vim /etc/httpd/conf.d/auth_kerb.conf

# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.

LoadModule auth_kerb_module modules/

# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/", where
# "" is the FQDN of this server.

<Location /private>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  Krb5KeyTab /etc/krb5.keytab
# KrbServiceName is the Centrify secret sauce
  KrbServiceName http
  require valid-user

chown root:apache /etc/krb5.keytab
chmod 640 /etc/krb5.keytab

And that’s it. Hopefully “KrbServiceName http” was the secret sauce you needed!