Configure Centrify Express with Apache’s mod_auth_kerb
Posted in Operating Systems, Linux, Red Hat, Services, Apache, Tips, CentOS on Friday, May 27, 2016 by cam
I was lucky enough to spend the morning trying to get mod_auth_kerb working with our existing installation of Centrify without creating any additional SPNs.
It was actually very straight forward except for the missing component of the secret sauce, that’s not documented in many places.
Basically to get it to work perform the following on RedHat 6 (and CentOS 6):
yum install httpd yum install mod_auth_kerb vim /etc/httpd/conf.d/auth_kerb.conf # # The mod_auth_kerb module implements Kerberos authentication over # HTTP, following the "Negotiate" protocol. # LoadModule auth_kerb_module modules/mod_auth_kerb.so # # Sample configuration: Kerberos authentication must only be # used over SSL to prevent replay attacks. The keytab file # configured must be readable only by the "apache" user, and # must contain service keys for "HTTP/www.example.com", where # "www.example.com" is the FQDN of this server. # <Location /private> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms YOURDOMAIN.COM Krb5KeyTab /etc/krb5.keytab # KrbServiceName is the Centrify secret sauce KrbServiceName http require valid-user </Location> chown root:apache /etc/krb5.keytab chmod 640 /etc/krb5.keytab
And that’s it. Hopefully “KrbServiceName http” was the secret sauce you needed!