How To Install Mod_auth_kerb For Windows

Posted onby

Join GitHub today

GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.

To use mod_auth_kerb on your site. Install Kerberos on your web server; see Set up a Unix computer as a Kerberized application server.Instead of installing the. Install mod_auth_kerb Apache module; 3. Run Windows tool ktpass on AD domain controller to generate and output to the console two secret keys (for AES256 and RC4 encryption methods, respectively. Kerberos authentication for apache on windows. Hello, I'm new to kerberos, and I want to know if the following configuration is possible: I have an Apache2 web server running on Windows 2003. Install mod_auth_kerb on Red Hat Enterprise Linux. Install curl with GSS-negotiated support. Configure and run a Kerberos or LDAP server (for example ApacheDS) on the same host as your Red Hat JBoss Web Server. Re: kerberos authentication for apache on windows In reply to this post by kl (Bugzilla) Klavs Klavsen wrote: > The nice thing about it, is that it supports single-sign-on - as I > understand it, mod_auth_kerb does not.

Sign up
Find file Copy path
Cannot retrieve contributors at this time

How To Install Mod_auth_kerb For Windows 8

1. Prerequisites
- Development enviroment for Kerberos5 and/or Kerberos4 (i.e. libraries and
header files). The module works with the MIT Kerberos implementation
(supporting both krb4 and krb5), the kth-krb Kerberos4 implementation,
and the Heimdal Kerberos5 implementation. Kerberos libraries come with
most Linux distributions but they may not be installed by default.
- Apache server installed with SSL support.
Both 1.x and 2.x series of Apache are supported, provided they are
compiled to support DSO. SSL support (provided by either mod_ssl or
apache-ssl) is necessary for the module to work in a secure way. Most
Linux distributions contain suitable Apache packages.
- The latest source of the module available from the main project site
- Working C compiler, GNU make.
2. Building and installing the module
Unpack the distribution tarball and run the configure script to set up the
build enviroment. The script will try to find krb5 and/or krb4 libraries and
headers and an Apache installation directory. You can use following flags to
specify locations of these files:
these options are used to specify locations of the installation
directories for krb4 and krb5, respectively. If you don't want to
compile support for one of the method, use no as the appropriate
parameter or specify --without-krb5 or --without-krb4.
use this parameter to specify location where the Apache installation
After the configuration script finishes run make followed by make install.
In order to install the module you will have to have writing permission for
the apache directory.
An example of the building stage follows:
./configure --with-krb5=/software/krb5-1.3.1
make install
3. Create the Kerberos principal for the server
A service principal for the web server must be registered with the KDC in
order to let the module verify users properly. In general the principals for
web servers have names with format HTTP/[email protected], where servername
is the fully-qualified domain name of the server and REALM is your Kerberos
realm. If you have multiple virtual servers requiring authentication
service principals have to be generated for each virtual servername. After
creating the service principal, corresponding Kerberos keys must be
extracted to a keytab file stored on the server host. Steps to create the
principal and extracting the keys vary depending on the KDC server type
Heimdal or MIT KDC
From the www machine start the kadmin command, connect to the KDC and create
principal HTTP/[email protected] with a random key(s). Then extract the keys
into a local keytab and change ownership and permissions for the keytab
file so that only the apache user can access it. Example using kadmin from
kadmin -p [email protected] -r REALM ank -r HTTP/[email protected]
kadmin -p [email protected] -r REALM ext -k /etc/httpd/keytab HTTP/[email protected]
chown nobody /etc/httpd/keytab
chmod 400 /etc/httpd/keytab
Windows 2000 Domain Controler
The Kerberos realm in Active Directory is the same as the DNS domain
name of the AD domain. For example, a Kerberos principal for host might be 'HTTP/[email protected]'.
To install the principal in AD you first need to create a user account in the
domain for the server. It makes sense to call this account something
meaningful, maybe 'httpd_servername' so that it is obvious what this account is
used for. To create the account you can use standard AD tools. Make sure that
the user account has 'Password never expires' set and write down the password
you set for the account (you will need it later).
When using ticket based authentication (KrbMethodNegotiate) and also wanting
to save the ticket (KrbSaveCredentials), the user account for the Kerberos
principal must have the option 'Account is trusted for delegation' set. This
enables to user account to delegate the tickets to the server for further
If you want to kerberize additional hosts you need to create one user account
per each kerberized host.
The Kerberos principal is associated with a user account with the ktpass.exe
tool that is part of the Microsoft Support Tools package. This tools needs to
be run on a domain controller. To associate a Kerberos principal with a user
account just run ktpass.exe in a command prompt with appropriate parameters to
create a keytab file. Full description of the ktpass.exe command can be found
ktpass -out c:apache.ktab -princ HTTP/[email protected]
-pass account_password -mapuser httpd_servername -crypto DES-CBC-MD5
In the above the c:apache.ktab is the name of the created keytab file,
account_passwored is the password you set for the user account and
httpd_servername is the name of the user account. The DES-CBC-MD5 encryption
is needed to get Heimdal to work with Microsoft KDC, MIT Kerberos does not
seem to need it but it does not hurt either. In fact, RFC1510 discourages
using DES-CBC-CRC (default in Win2k ktpass.exe) so it's probably better to
use DES-CBC-MD5 in all cases.
You need to copy the keytab file to your web server in a secure way to avoid
revealing the server key(s). Note that the copy needs to be done in binary
mode to avoid corrupting the file. Make sure that the keytab file is owned by
the apache user and only readable to this user (i.e. the permissions are 400).
After copying the keytab verify the content using the ktutil tool.
See for more information about using
mod_auth_kerb with Windows KDC.
4. Verifying krb5 on the server host
Before starting configuring the module make sure your Kerberos enviroment on
the web host is properly configured. The easiest way to check is using the
kinit command to get a ticket from the KDC.
5. Configuring mod_auth_kerb
First make sure that Apache works as expected.
You need to load the mod_auth_kerb module. To do this, add a LoadModule
statement into the appropriate section of httpd.conf file.
LoadModule auth_kerb_module modules/
The configuration of mod_auth_kerb can be done per directory. The
configuration directives can be stored in either a <Directory> section of
httpd.conf or in a .htaccess file in the coresponding directory. Example of a
Directory section from httpd.conf:
<Directory /var/www/private>
AuthType Kerberos
AuthName 'Kerberos Login'
Krb5Keytab /etc/apache/apache.keytab
Require valid-user
The Krb5Keytab file is the one created as described above in section 3.
Summary of all configuration directives supported by the module can be found in
6. Configuring the browsers
For password based authentication any browser supporting the Basic HTTP
authentication method can be used without any changes. In order to use
ticket based authentication (Negotiate) you will need either MS Internet
Explorer 5.0+ running on Win2000 SP2 (or later) or Mozilla with the
Negotiateauth extension (available in 1.7beta and later).
Internet Explorer
To make the Negotiate authentication work the web server hostname must be
in Internet Explorer 'Local Intranet' security zone and the 'Windows
Integrated Authentication' must be enabled in the IE advanced options.
See also a guide from Microsoft describing how to configure Windows Machine to
use Unix KDC available at
First make sure your Mozilla distribution contains the Negotiateauth component
( on Unix, negotiateauth.dll on Windows). Generally this is
included in versions 1.7beta and later on Unix platforms including Mac OSX,
maybe 1.8 and later on Windows.)
Next, you have to specify URL's for which it is allowed to use the Negotiate
authentication method. It's done by setting the
network.negotiate-auth.trusted-uris preference. In order to set it, just type
'about:config' in the URL bar and then set the value of
'network.negotiate-auth.trusted-uris' to ''.
If you want to find out what happens in the Negotiateauth component use
following environment variables:
before starting Mozilla. You will see debugging messages logged in the file
specified by NSPR_LOG_FILE (/tmp/negotiateauth.log)
KDE Konqueror
6. Access control
If you want only particular users to be able to access the secured area, you
can list their principal names in the appropriate Require directive. They must
be full Kerberos names, including the REALM part. For example:
Require user [email protected]
The user's name is put by Apache in the REMOTE_USER environment variable so
that it could be used by cgi-bin scripts.
$Id: INSTALL,v 1.9 2005/06/03 16:58:24 kouril Exp $

How To Install Mod_auth_kerb For Windows Xp

  • Copy lines
  • Copy permalink