Introduction

This document will detail the steps for setting up Kerberos authentication to the IPA/Cascade web application.

Prerequisites

  1. A Windows 2008 R2 Active Directory domain controller that can communicate with an Apache web server. Generally, this will require opening up ports 88 and 749 (TCP and UDP) between the machines, but this may vary based on how Kerberos is configured.

  2. In the instructions below, we assume the following:

    Active Directory domain name:

    domain.com
    

    Linux machine running Apache web server:

    websvr.domain.com
    

    The real host and domain names are probably different, and should be used in place of these sample values.

    Note that the machine you use for the web server must have valid DNS entries (A and PTR records) for Kerberos authentication to be sucessful.

Instructions

  1. Create an Active Directory account for the HTTP service that will run on the web server machine.

    1. Open:

      Start Menu/Administrative Tools/Server Manager
      
    2. Browse to:

      Roles
          Active Directory Domain Services
              Active Directory Users and Computers
                  domain.com
                      Users
      
    3. Right-click, New, User, then from the New Object - User dialog, enter the following:

      • First Name, Initials, Last Name

        (Empty)
        
      • Full Name

        HTTP service principal for websvr.domain.com
        

        (or whatever the actual fully-qualified hostname is)

      • User logon name

        HTTP/websvr.domain.com
        
      • Domain name (dropdown list)

        @domain.com
        
      • User Logon name (pre-Windows 2000)

        http_websvr
        

        (or any valid unique username)

      • Password

        A strong password for the HTTP service account, we'll use http!123password for example purposes only.

      • Uncheck all four boxes including "User must change password"

      • Click "Finish"

    4. After creating the account, right-click on it, then "Properties", then select the following account options (You may need to scroll down in the Account Options fieldset to see these options):

      This account supports Kerberos AES 128 bit encryption
      This account supports Kerberos AES 256 bit encryption
      
  2. Generate a Kerberos keytab file for the HTTP service principal you created in step 1.

    1. From a Windows cmd.exe command shell, run the following command:

      ktpass -princ HTTP/websvr.domain.com@domain.com
             -mapuser http_websvr@domain.com
             -crypto AES256-SHA1
             -ptype KRB5_NT_PRINCIPAL
             -pass http!123password
             -out c:\temp\http_websvr.keytab
      
    2. If successful, a file named http_websvr.keytab will be created in C:\TEMP. If not, check for errrors from the ktpass command.

  3. Copy the keytab file created in step 2 over to the web server machine. The apache subdirectory in the Cascade application directory is probably a good place to put it.

  4. From a shell on the web server machine, cd to the directory where you put the keytab file in step 3, then run the following commands:

    $ kinit HTTP/websvr.domain.com@DOMAIN.COM
    

    (enter password)

    $ kvno HTTP/websvr.domain.com@DOMAIN.COM
    

    Take note of the "kvno = xxx" value here.

    $ klist -e
    

    Take note of the Etype (encryption type) of the kerberos tickets, which should resemble "AES-256 CTS mode with 96-bit SHA-1 HMAC".

    $ klist -e -k -t http_websvr.keytab
    

    Compare the KVNO colum in the output with the "kvno = xxx" value from the kvno command above. These must match. If they don't, then the keytab file is stale, and you must generate a new keytab, copy it over, and try again. Also make sure the principal names match exactly between the two klist commands.

    Now, test Kerberos authentication using this keytab:

    $ kdestroy
    
    $ kinit -k -t http_websvr.keytab HTTP/websvr.domain.com@domain.com
    
    $ klist -e
    

    If there were no errors, then you should see a Service principal ticket for websvr in the klist -e output.

  5. Now that you have a valid keytab for the Apache service, secure it:

    $ chmod 400 http_websvr.keytab
    
    $ chown httpd http_websvr.keytab
    

    httpd above should be replaced by the username that Apache runs as.

  6. In the cascade.wsgi file (created in step 2 of the main IPA/Cascade installation instructions) look for the line beginning with os.environ['KRB5_KTNAME'], and replace the sample path with the path you chose in step 3 above.

  7. In the production.ini file (created in step 4 of the main installation instructions) find the ipa_kerberos_realm setting, changing it to match the name of your Kerberos realm.

At this point, you should be setup for Kerberos authentication, and can return to the main instructions in README.