Tutorial Apache - Kerberos authentication [ Step by step ]

Would you like to learn how to configure the Apache service Kerberos authentication on Active Directory? In this tutorial, we are going to show you how to authenticate Apache users using the Active Directory from Microsoft Windows and the Kerberos protocol.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Apache 2.4.41
• Windows 2012 R2

In our example, the domain controller IP address is 192.168.15.10.

In our example, the Apache server IP address is 192.168.15.11.

Copyright © 2018-2021 by Techexpert.tips.
All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means without the prior written permission of the publisher.

Apache - Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Apache.

Tutorial Windows - Domain Account Creation

• IP - 192.168.15.10
• Operacional System - WINDOWS 2012 R2
• Hostname - TECH-DC01

We need to create at least 1 account on the Active Directory database.

The ADMIN account will be used to login on the Apache server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Create a new account named: admin

Password configured to the ADMIN user: kamisama123..

This account will be used to authenticate on the Apache server.

zabbix active directory admin properties

Congratulations, you have created the required Active Directory account.

Apache - Kerberos authentication on the Active Directory

• IP - 192.168.15.11
• Operational System - Ubuntu 20
• Hostname - APACHE

Set a hostname using the HOSTNAMECTL command.

Copy to Clipboard

Edit the HOSTS configuration file.

Copy to Clipboard

Add the domain controller IP address and hostname.

Copy to Clipboard

Install the Apache server, the Kerberos module, and a list of required software.

Copy to Clipboard

On the Graphic installation, perform the following configuration:

• Kerberos realm - TECH.LOCAL
• Kerberos server - TECH-DC01.TECH.LOCAL
• Administrative server - TECH-DC01.TECH.LOCAL

You need to change the domain information to reflect your Network environment.

Edit the Kerberos configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

[libdefaults]
        default_realm = TECH.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        TECH.LOCAL = {
                kdc = TECH-DC01.TECH.LOCAL
                admin_server = TECH-DC01.TECH.LOCAL
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }
[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

Here is the file, after our configuration.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

Start a Kerberos session as the domain Administrator.

Copy to Clipboard

List the Kerberos session.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Add the Apache server as a domain computer.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You need to change the Hostname.

Stop the Kerberos session as the domain Administrator.

Copy to Clipboard

Move the key file to the correct location.

Copy to Clipboard

In our example, we are going to request authentication to users trying to access a directory named TEST.

Create a directory named TEST and give the user named www-data permission over this directory.

Copy to Clipboard

Configure the Apache server to request the Kerberos authentication to users trying to access this directory.

Edit the Apache configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

Here is the file, after our configuration.

Copy to Clipboard

The Apache server was configured to request password authentication to access the directory named TEST.

The Apache service was configured to authenticate user accounts using Kerberos.

You need to change the domain information to reflect your Network environment.

Restart the Apache service.

Copy to Clipboard

Congratulations! You successfully configured the Apache authentication to use Kerberos.

Apache - Kerberos authentication Test

Open your browser and enter the IP address of your Apache web server.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11

The Apache default page will be displayed.

Open your browser and enter the IP address of your web server plus /test.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/test

On the login screen, Enter an Active Directory username and its password.

• Username: admin
• Password: kamisama123..

After a successful login, you will be authorized to access the directory named TEST.

Congratulations! You have configured the Kerberos authentication on the Apache server.

Apache - Kerberos authentication

Apache - Kerberos authentication

Equipment list

Apache - Related Tutorial:

Tutorial Windows - Domain Account Creation

Apache - Kerberos authentication on the Active Directory

Apache - Kerberos authentication Test

Related Posts