Would you like to learn how to configure the Apache service Kerberos authentication on Active Directory? In this tutorial, we are going to show you how to authenticate Apache users using the Active Directory from Microsoft Windows and the Kerberos protocol.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Apache 2.4.41
• Windows 2012 R2

In our example, the domain controller IP address is 192.168.15.10.

In our example, the Apache server IP address is 192.168.15.11.

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Tutorial Windows - Domain Account Creation

• IP - 192.168.15.10
• Operacional System - WINDOWS 2012 R2
• Hostname - TECH-DC01

We need to create at least 1 account on the Active Directory database.

The ADMIN account will be used to login on the Apache server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Zabbix active directory account

Create a new account named: admin

Password configured to the ADMIN user: kamisama123..

This account will be used to authenticate on the Apache server.

active directory admin accountzabbix active directory admin properties

Congratulations, you have created the required Active Directory account.

Apache - Kerberos authentication on the Active Directory

• IP - 192.168.15.11
• Operational System - Ubuntu 20
• Hostname - APACHE

Set a hostname using the HOSTNAMECTL command.

Copy to Clipboard

Edit the HOSTS configuration file.

Copy to Clipboard

Add the domain controller IP address and hostname.

Copy to Clipboard

Install the Apache server, the Kerberos module, and a list of required software.

Copy to Clipboard

On the Graphic installation, perform the following configuration:

• Kerberos realm - TECH.LOCAL
• Kerberos server - TECH-DC01.TECH.LOCAL
• Administrative server - TECH-DC01.TECH.LOCAL

You need to change the domain information to reflect your Network environment.

Edit the Kerberos configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

Here is the file, after our configuration.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

Start a Kerberos session as the domain Administrator.

Copy to Clipboard

List the Kerberos session.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Add the Apache server as a domain computer.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You need to change the Hostname.

Stop the Kerberos session as the domain Administrator.

Copy to Clipboard

Move the key file to the correct location.

Copy to Clipboard

In our example, we are going to request authentication to users trying to access a directory named TEST.

Create a directory named TEST and give the user named www-data permission over this directory.

Copy to Clipboard

Configure the Apache server to request the Kerberos authentication to users trying to access this directory.

Edit the Apache configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

Here is the file, after our configuration.

Copy to Clipboard

The Apache server was configured to request password authentication to access the directory named TEST.

The Apache service was configured to authenticate user accounts using Kerberos.

You need to change the domain information to reflect your Network environment.

Restart the Apache service.

Copy to Clipboard

Congratulations! You successfully configured the Apache authentication to use Kerberos.

Apache - Kerberos authentication Test

Open your browser and enter the IP address of your Apache web server.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11

The Apache default page will be displayed.

Apache default page

Open your browser and enter the IP address of your web server plus /test.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/test

On the login screen, Enter an Active Directory username and its password.

• Username: admin
• Password: kamisama123..

Apache login form

After a successful login, you will be authorized to access the directory named TEST.

Apache Radius Authentication test

Congratulations! You have configured the Kerberos authentication on the Apache server.