Tutorial Nginx - Kerberos authentication [ Step by step ]

Would you like to learn how to configure the Nginx service Kerberos authentication on Active Directory? In this tutorial, we are going to show you how to authenticate Nginx users using the Active Directory from Microsoft Windows and the Kerberos protocol.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Nginx 1.18.0

In our example, the domain controller IP address is 192.168.15.10.

In our example, the Nginx server IP address is 192.168.15.11.

Equipment list

The following section presents the list of equipment used to create this tutorial.

As an Amazon Associate, I earn from qualifying purchases.

Nginx - Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Nginx.

Tutorial Windows - Domain Account Creation

• IP - 192.168.15.10
• Operacional System - WINDOWS 2012 R2
• Hostname - TECH-DC01

We need to create at least 1 account on the Active Directory database.

The ADMIN account will be used to login on the Nginx server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Create a new account named: admin

Password configured to the ADMIN user: kamisama123..

This account will be used to authenticate on the Nginx server.

zabbix active directory admin properties

Congratulations, you have created the required Active Directory account.

Nginx - Kerberos authentication on the Active Directory

• IP - 192.168.15.11
• Operational System - Ubuntu 20
• Hostname - NGINX

Set a hostname using the HOSTNAMECTL command.

Copy to Clipboard

Edit the HOSTS configuration file.

Copy to Clipboard

Add the domain controller IP address and hostname.

Copy to Clipboard

Install the list of required packages to enable the Kerberos authentication.

Copy to Clipboard

On the Graphic installation, perform the following configuration:

• Kerberos realm - TECH.LOCAL
• Kerberos server - TECH-DC01.TECH.LOCAL
• Administrative server - TECH-DC01.TECH.LOCAL

You need to change the domain information to reflect your Network environment.

Edit the Kerberos configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

[libdefaults]
        default_realm = TECH.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        TECH.LOCAL = {
                kdc = TECH-DC01.TECH.LOCAL
                admin_server = TECH-DC01.TECH.LOCAL
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }
[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

Here is the file, after our configuration.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You have finished the required Kerberos configuration.

Nginx - Kerberos authentication

Install the Nginx server and the required packages.

Copy to Clipboard

In our example, we are going to request authentication to users trying to access a directory named TEST.

Create a directory named TEST and give the user named www-data permission over this directory.

Copy to Clipboard

Configure the Nginx server to request the PAM authentication to users trying to access this directory.

Edit the Nginx configuration file for the default website.

Copy to Clipboard

Add the following configuration to this file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

Here is the file, after our configuration.

Copy to Clipboard

The Nginx server was configured to request password authentication to access the directory named TEST.

The Nginx service was configured to authenticate user accounts using the PAM authentication module.

Create the PAM configuration file.

Copy to Clipboard

Here is the file content.

Copy to Clipboard

In our example, we are going to authenticate the Nginx service access using Kerberos.

Restart the Nginx service.

Copy to Clipboard

Congratulations! You successfully configured the Nginx authentication to use Kerberos.

Nginx - Keberos authentication test

Create an HTML page to be used in the authentication test.

Copy to Clipboard

echo "<html><body><h1>Nginx authentication test</h1><script>"use strict";function wprRemoveCPCSS(){var preload_stylesheets=document.querySelectorAll('link[data-rocket-async="style"][rel="preload"]');if(preload_stylesheets&&0<preload_stylesheets.length)for(var stylesheet_index=0;stylesheet_index<preload_stylesheets.length;stylesheet_index++){var media=preload_stylesheets[stylesheet_index].getAttribute("media")||"all";if(window.matchMedia(media).matches)return void setTimeout(wprRemoveCPCSS,200)}var elem=document.getElementById("rocket-critical-css");elem&&"remove"in elem&&elem.remove()}window.addEventListener?window.addEventListener("load",wprRemoveCPCSS):window.attachEvent&&window.attachEvent("onload",wprRemoveCPCSS);</script><noscript><link data-minify="1" rel='stylesheet' id='wpml-blocks-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/cache/min/1/wp-content/plugins/sitepress-multilingual-cms/dist/css/blocks/styles.css?ver=1713132099' type='text/css' media='all' /><link rel='stylesheet' id='wpml-menu-item-0-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/menu-item/style.min.css?ver=1' type='text/css' media='all' /><link rel='stylesheet' id='fusion-core-comment-form-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/fusion-core/css/comment-form.min.css?ver=5.11.7' type='text/css' media='all' /><link rel='stylesheet' id='fusion-core-privacy-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/plugins/fusion-core/css/privacy.min.css?ver=5.11.7' type='text/css' media='all' /><link rel='stylesheet' id='avada-stylesheet-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-content/themes/Avada/assets/css/style.min.css?ver=7.11.7' type='text/css' media='all' /><link rel='stylesheet' id='wp-codemirror-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-includes/js/codemirror/codemirror.min.css?ver=5.29.1-alpha-ee20357' type='text/css' media='all' /><link rel='stylesheet' id='code-editor-css' href='https://techexpert.tips/wp-admin/css/code-editor.min.css?ver=6.5.2' type='text/css' media='all' /><link rel='stylesheet' id='wp-block-library-css' href='https://d1ny9casiyy5u5.cloudfront.net/wp-includes/css/dist/block-library/style.min.css?ver=6.5.2' type='text/css' media='all' /></noscript></body></html>" > /var/www/html/test/test.html
chown www-data.www-data /var/www/html/test -R

In our example, we created an HTML page named TEST.

Open your browser and enter the IP address of your Nginx web server.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11

The Nginx default page will be displayed.

Open your browser and enter the IP address of your web server plus /test.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/test/test.html

On the login screen, Enter an Active Directory username and its password.

• Username: admin
• Password: kamisama123..

After a successful login, you will be authorized to access the directory named TEST.

Congratulations! You have configured the Kerberos authentication on the Nginx server.

Nginx - Kerberos authentication

Nginx - Kerberos authentication

Equipment list

Nginx - Related Tutorial:

Tutorial Windows - Domain Account Creation

Nginx - Kerberos authentication on the Active Directory

Nginx - Kerberos authentication

Nginx - Keberos authentication test

Related Posts