Home/ Questions/Q 6972497
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T16:58:32+00:00

I’m new with this authentication through kerberos protocol so I tried to read a

  • 0

I’m new with this authentication through kerberos protocol so I tried to read a lot of howto on it but seems like I can’t find any specifics with my constraints. Here is what I have :

  • An Active Directory Server on which users authenticate to log into their workstations
  • Each end user uses IE 7 to connect to my intranet application
  • An Apache server with load balancing
  • Some Tomcats servers acting as workers for the Apache server.
  • on each tomcat, I have 2 jakarta servlet running, users connect only on one servlet (further i will call it the servlet as if there is only one)
  • my tomcats need to run under jdk5. not jdk6 or jdk4. it’s jdk5 period.

Now I want one to automatically get logged on my servlet. Basically I just need my servlet to retrieve the client’s principal then I can manage the rest.
Based on what I understood, my client has a ticket, he ask the KDC for a special ticket for accessing the apache server, then he tries to connect to the Apache server. Based on his keytab, the apache server then decode the auth data and grant/refuse the access to specified resource.
Am I right? please guide me through this, I’ve been reading pages for 4 days and still no clue on which solution is the more appropriate. I tried mod_auth_kerberos for Apache but instead of grabbing the user’s ticket he ask it like a basic auth. Apparently spgneo

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok I got this working :

    1. Install Kerberos 5 + apache 2 + mod_auth_kerb.
    2. On your AD, generate a keytab with only the principal you will use for Apache, I use HTTP/apache.mydom.com@MYDOM.COM
    3. Put this keytab file on your apache server and make it readable only
      by your Apache user.
    4. Then edit your apache conf with these directive for your secure
      location

    apache.conf:

    […]
ServerName apache.mydom.com:80
[…]
LoadModule auth_kerb_module modules/mod_auth_kerb.so
[…]
<LocationMatch /secure)>
    [… some other stuff …]
    Order allow,deny
    Allow from all
    AuthType Kerberos
        AuthName "Authentification requise"
        KrbAuthRealms MYDOM.COM
        #this allows user to be saved in the request
        KrbSaveCredentials on
        #this one force Negotiate AuthType instead of basic fallback
        KrbMethodNegotiate on
        #this trim the realm from username saved in the request (request.getRemoteUser() will give you "user" instead of "user@MYDOM.COM"
        KrbLocalUserMapping on
        KrbAuthoritative on
        KrbVerifyKDC on
        Krb5Keytab /install/binaries/httpd/apache.keytab
        KrbServiceName HTTP
    require valid-user
</LocationMatch>

    And the one thing I almost failed to find on the web, you have to modify your tomcat server config (tomcat/conf/server.xml) :

    <Connector [... AJP connector configuration ...] request.tomcatAuthentication="false"/>

    This is really important because without it you tomcat won’t retrieve any info from tomcat auth.
    Don’t forget too, DNS is really really really really important for a Kerberos install. If you have any issue try checking your DNS for all of your servers.

    • 0