Tutorial Zabbix - Kerberos authentication [ Step by step ]

Would you like to learn how to configure the Zabbix service Kerberos authentication on Active Directory? In this tutorial, we are going to show you how to authenticate Zabbix users using the Active Directory and the Kerberos protocol.

• Ubuntu 20
• Ubuntu 19
• Ubuntu 18
• Zabbix 5.0.3

In our example, the domain controller IP address is 192.168.15.10.

In our example, the Zabbix server IP address is 192.168.15.11.

Hardware List:

The following section presents the list of equipment used to create this Zabbix tutorial.

Every piece of hardware listed above can be found at Amazon website.

Zabbix Playlist:

On this page, we offer quick access to a list of videos related to Zabbix installation.

Playlist

Don’t forget to subscribe to our youtube channel named FKIT.

Zabbix Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Zabbix installation.

List of Tutorials – Zabbix
Zabbix Server Installation
Zabbix – Monitor Vmware
Zabbix – Monitor ICMP Ping
Zabbix – Monitor Website
Zabbix – Monitor Cisco Switch
Zabbix – Monitor Windows using Agent
Zabbix – Monitor Windows using SNMP
Zabbix – Monitor Linux using Agent
Zabbix – Monitor Linux using SNMP
Zabbix – Monitor IPMI
Zabbix – Monitor TCP
Zabbix – Monitor UDP
Zabbix – E-mail Notification
Zabbix – SMS Notification

Tutorial Windows – Domain Account Creation

• IP – 192.168.15.10
• Operacional System – WINDOWS 2012 R2
• Hostname – TECH-DC01

We need to create at least 1 account on the Active Directory database.

The ADMIN account will be used to login on the Zabbix server.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Create a new account named: admin

Password configured to the ADMIN user: kamisama123..

This account will be used to authenticate on the Zabbix server.

zabbix active directory admin properties

Congratulations, you have created the required Active Directory account.

Zabbix – Kerberos authentication on the Active Directory

• IP – 192.168.15.11
• Operational System – Ubuntu 20
• Hostname – ZABBIX

Set a hostname using the HOSTNAMECTL command.

Copy to Clipboard

Edit the HOSTS configuration file.

Copy to Clipboard

Add the domain controller IP address and hostname.

Copy to Clipboard

Install the list of required packages to enable the Kerberos authentication.

Copy to Clipboard

On the Graphic installation, perform the following configuration:

• Kerberos realm – TECH.LOCAL
• Kerberos server – TECH-DC01.TECH.LOCAL
• Administrative server – TECH-DC01.TECH.LOCAL

You need to change the domain information to reflect your Network environment.

Edit the Kerberos configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

[libdefaults]
        default_realm = TECH.LOCAL
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
[realms]
        TECH.LOCAL = {
                kdc = TECH-DC01.TECH.LOCAL
                admin_server = TECH-DC01.TECH.LOCAL
        }
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        }
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        }
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        }
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        }
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        }
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
        }
[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

Here is the file, after our configuration.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

Start a Kerberos session as the domain Administrator.

Copy to Clipboard

List the Kerberos session.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Add the Zabbix server as a domain computer.

Copy to Clipboard

You need to change the domain information to reflect your Network environment.

You need to change the Hostname.

Stop the Kerberos session as the domain Administrator.

Copy to Clipboard

Move the key file to the correct location.

Copy to Clipboard

In our example, we are going to request authentication to users trying to access a directory named ZABBIX.

In our example, the Zabbix web interface was installed on the following directory.

Copy to Clipboard

Configure the Apache server to request the Kerberos authentication to users trying to access this directory.

Edit the Apache configuration file.

Copy to Clipboard

Here is the file, before our configuration.

Copy to Clipboard

Here is the file, after our configuration.

Copy to Clipboard

The Apache server was configured to request authentication to access the directory named ZABBIX.

The Apache service was configured to authenticate user accounts using Kerberos.

You need to change the domain information to reflect your Network environment.

Restart the Apache service

Copy to Clipboard

Congratulations! You successfully configured the Apache authentication to use Kerberos.

Tutorial Zabbix – Kerberos authentication on the Active Directory

Open your browser and enter the IP address of your web server plus /zabbix.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/zabbix

On the first login screen, enter the ADMIN username and its Active Directory password.

• Username: admin
• Password: kamisama123..

On the second login screen, enter a Zabbix local account.

• Zabbix default username: Admin
• Zabbix default Password: zabbix

After a successful login, you will be sent to the Zabbix Dashboard.

On the dashboard screen, access the Administration menu and select the Authentication option.

On the Authentication screen, select the HTTP option and perform the following configuration.

• Enable HTTP authentication – Yes
• Default login form – HTTP login Form
• Case sensitive login – No

Click on the Update button.

After finishing the configuration, you should close your browser.

Open your browser and enter the IP address of your web server plus /zabbix.

• http://192.168.15.11/zabbix

This time, only the Kerberos form should be presented.

After a successful login, you will be sent directly to the Zabbix Dashboard.

Congratulations! You successfully configured the Zabbix authentication to use Kerberos.

In order to authenticate a user against Active Directory, the user account must also exist in the Zabbix server users database

Zabbix – Kerberos authentication

Zabbix – Kerberos authentication

Hardware List:

Zabbix Playlist:

Zabbix Related Tutorial:

Tutorial Windows – Domain Account Creation

Zabbix – Kerberos authentication on the Active Directory

Tutorial Zabbix – Kerberos authentication on the Active Directory

Related Posts