Wednesday, April 18, 2012

integrating the apache web server into a Windows Active Directory Domain.

I created a team in VMWare that consisted of 

a Windows 2003 Server acting as the PDC
a Windows 2000 Client acting as a client machine on the Domain.
a Linux box acting as the web server and another test client

I configured the Domain to be named ENEAVOR.LOCAL
I added a user called james
I added a machine entry for the W2K client machine.
I added a user called apache to tie the web service kerberos principle to.

I added an entry into DNS for apache.endeavor.local and configured it to be able to be reversed looked up.

I got the ktpass.exe command off the windows 2003 server install disk inside the cab file in D:/tools/support/

I ran the command: 

ktpass -out apache.keytab -princ HTTP/apache.endeavor.local@ENDEAVOR.LOCAL -pass * -mapuser apache

You are promted for the password for the apache user.

This creates an apache.keytab file that you copy over to the apache server into


On the linux box now.

I fixed /etc/resolve.conf file to point at, and changed the search to be endeavor.local in order to fix a massive slowdown in name lookups.

Make sure these two entries are pointed at the domain name and the DNS box for your domain.

Install non threaded version of Apache2, threaded might work as well, I just didn't want to chance their being threading issues on this first try.

Install matching set of development libraries that include the apxs tool.

Install kerberos 5 libraries and development tools

Configured kerberos, tested with client tools I downloaded from 

<need to work on this area more>

All of these are standard packages.

Download mod_auth_kerb apache authentication module
web site -
download -

configure it with the command: 

./configure --with-krb5=/usr/include/kerberosIV/ --with-krb4=no --with-apache=/usr/include/apache2/
Then add this patch:

[PATCH] fix putenv usage in CVS
From: Joe Orton <jorton <at>>
Subject: [PATCH] fix putenv usage in CVS
Newsgroups: gmane.comp.apache.mod-auth-kerb.general
Date: 2006-08-14 15:09:43 GMT

The use of putenv() in CVS is unsafe, it will segfault httpd at startup 
if mod_auth_kerb is loaded as a DSO.  The pointer in environ to the 
constant string in the DSO will dangle once the DSO is unloaded during 
the startup load/unload shuffle.  POSIX setenv() is a good replacement, 
not sure how portable...  otherwise just strdup() the putenv() argument.

Index: mod_auth_kerb.c
RCS file: /cvsroot/modauthkerb/mod_auth_kerb/src/Attic/mod_auth_kerb.c,v
retrieving revision 1.118
diff -u -r1.118 mod_auth_kerb.c
--- mod_auth_kerb.c    22 Apr 2006 12:46:53 -0000    1.118
+++ mod_auth_kerb.c    14 Aug 2006 15:05:08 -0000
 <at>  <at>  -1142,8 +1142,7  <at>  <at> 
 #ifndef HEIMDAL
    /* Suppress the MIT replay cache.  Requires MIT Kerberos 1.4.0 or later.
       1.3.x are covered by the hack overiding the replay calls */
-   if (getenv("KRB5RCACHETYPE") == NULL)
-      putenv("KRB5RCACHETYPE=none");
+   setenv("KRB5RCACHETYPE", "none", 0);

    have_server_princ = conf->krb_service_name && strchr(conf->krb_service_name, '/') != NULL;

I also made this fix, not sure if it is really needed:

at line 1573 add 


        return 0;

just above the line:

   ret = krb5_rc_respolve_type(context, &id, type);
   found = (ret == 0);

(fix issues)

sudo make install

add the following to /etc/apache2/httpd.conf

LoadModule    auth_kerb_module    libexec/

<Directory "/">
    AuthType Kerberos
    AuthName "Login to Apache on ENDEAVOR.LOCAL"
    Krb5Keytab /etc/apache2/apache.keytab
    Require valid-user

run the command
sudo /etc/init.d/apache start

fix errors

-- -- -- 

On the Client Box:

Join the Domain as an administrator.
Log back out.
Log back in as user james

Join the Domain as an administrator.
Log back out.
Log back in as user james

Configure IE:

Open up the Internet Options dialog inside of Internet Explorer. The Security tab contains the security zones that Internet Explorer recognizes. Click Intranet and click the Sites button. Click Advanced in the next dialog box, and a third dialog is presented where we can add sites that will be added to the Intranet zone. Click Add and type in the name of your Apache server, in this case "" Return to the Internet Options dialog, Security tab. Click the "Custom Level" button for the Intranet security zone. Ensure that "User authentication - Automatic logon only in intranet zone" is selected (at the bottom of the list). Click OK.

If you're using Internet Explorer 6 or above, one more setting must be tweaked. Inside of the Internet Options dialog box, Advanced tab, there is a setting named "Enable Integrated Windows Authentication" inside of the Security group. If this box is not checked, check the box, and restart the machine. More information on these browser settings can be found in the Microsoft MSDN library.

Now that everything is set up, it's time to see if everything works. Open IE and go to the protected URL on the Apache server. If the page displays, then congratulations! The full Kerberos username of the client will be inserted into the REMOTE_USER environment variable on the Apache server side, for example Administrator@W2K.WEDGIE.ORG. A simple PHP script or server-side include page can be used to verify that the REMOTE_USER is now set.

No comments:

Post a Comment