SSO: Apache + Kerberos

Compatibility

• Works with Firefox 3.5 and IE
• Found no issues
• Works perfectly for customers who wants integrated authentication between Windows AD and *NIX clients.
• This provides true SSO experience, where users just need login once to Windows Domain in the companies’ domain member computers and won’t encounter any credential prompt box when accessing Splunkweb.
• The browsers has to be configured to pass Windows credentials to proxy server.
• The browsers has to be configured to trust the windows domain
• The proxy server DOES NOT need to be hosted in a machine that is a member of Windows domain. It just has to be "kerberized". See the details at "Apache+Kerberos (*NIX): What I did to make this work" section below.

Setup

Setup the Apache proxy server as a Kerberos client. Assumes you've installed the following:

1. Apache 2+
2. mod_auth_kerb-5.3
3. mod_proxy

Listen 6443 https
<VirtualHost _default_:6443>
#....
#.... some SSL directives here
#....

<Location />
  Order allow,deny
  Allow from all
  AuthType Kerberos
  AuthName "Kerberos Login at FOO.COM"
  KrbAuthRealms FOO.COM
  KrbMethodK4Passwd Off
  Krb5Keytab "/opt/local/apache2/conf/foo.keytab"
  KrbSaveCredentials On
  Require valid-user
</Location>

# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On

<Proxy *>
Order allow,deny
Allow from all
</Proxy>

ProxyPass / http://foo.com:8090/
ProxyPassReverse / http://foo.com:8090/
ProxyPassReverseCookieDomain foo.com bar.foo.com
ProxyPassReverseCookiePath / /
RequestHeader set REMOTE_USER %{REMOTE_USER}s


</VirtualHost>

• Check http://www.grolmsnet.de/kerbtut/ for explanation of the steps above