ARTIFACTORY: Configuring an HTTP SSO with Apache and Kerberos

JFrog Support
2023-01-22 11:07

The following steps will help you to set up HTTP SSO with Apache using the Kerberos network authentication protocol:

  1. Generate akeytabfile for yourApache hostusing theKtpasstool, where the:
  • Ktpass commandshould be run with adomain admin
  • password for the-pass argumentmust comply withWindows Server 2012 standards

Here's a command example:

ktpass -princ HTTP/uriahl.com@URIAHL.COM -mapuser apache -crypto All -DesOnly -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out apache.keytab

where

  • uriahl.comis the fqdn of the Apache server
  • URIAHL.COMis the Kerberos realm for which the keytab is being generated
  • apacheis the active directory being used to map the keytab
  • apache.keytabis the keytab filename
2.Configure theHTTPD VirtualHostto use theauth_kerb_moduleand its corresponding directives.Note: HTTPD doesn’t usually come with this module already installed, so you may need to install it manually with the followingDebian-based add-ons:

apt-get install libapache2-mod-auth-kerb

Centos/RHEL:

yum install mod_auth_kerb

During the installation process, you’ll be prompted about several configuration options. You’ll need to enter your:

  • Kerberos realm name, which, by convention, is your AD domain, written in all UPPERCASE letters (e.g., if your AD domain is domain.uriahl.com, your realm must be named DOMAIN.URIAHL.COM)
  • KDC host(i.e., the hostname of the KDC machine)
  • Administrative server’s hostname(Note: Depending on your setup, you might want to use the same value here as you did for the previous field.)

At this point, be sure to copy over yourkeytab file(which was generated in Step #1) to yourApachemachine andsecure itso that only the OS user who’s running Apache has access to it.

An example of afull SSL-equipped Apache VirtualHostconfiguration thatproxies Artifactoryanduses Kerberos authenticationwith the/artifactorylocation can look like the following (where theKrb5KeyTabdirective is pointing to the location of the keytab file):

Listen 443

ServerAdmin uriahl@uriahl.com

ServerName apache.server.com

SSLEngine on

SSLCertificateFile /etc/ssl/certs/cert.crt

SSLCertificateKeyFile /etc/ssl/certs/cert.key

SSLProxyEngine on

ErrorLog "/private/var/log/apache2/uriahl.com-error_log"

CustomLog "/private/var/log/apache2/uriahl.com-access_log" common

AuthType Kerberos

AuthName "Kerberos Login"

KrbMethodNegotiate On

KrbMethodK5Passwd On

KrbAuthRealms DOMAIN.URIAHL.COM

KrbLocalUserMapping On

Krb5KeyTab /usr/local/apache2/keytab/apache.keytab

require valid-user

RewriteEngine On

RewriteCond %{REMOTE_USER} (.+)

RewriteRule . – [E=RU:%1]

RequestHeader set REMOTE_USER %{RU}e

RewriteEngine上

RewriteCond %{SERVER_PORT} (.*)

RewriteRule (.*) – [E=my_server_port:%1]

#Note: In the following, the REQUEST_SCHEME header is supported only by Apache versions 2.4 and above:

RewriteCond %{REQUEST_SCHEME} (.*)

RewriteRule (.*) – [E=my_scheme:%1]

RewriteCond %{HTTP_HOST} (.*)

RewriteRule (.*) – [E=my_custom_host:%1]

RewriteRule ^/$ /artifactory/webapp/ [R,L]

RewriteRule ^/artifactory(/)?$ /artifactory/webapp/ [R,L]

RewriteRule ^/artifactory/webapp$ /artifactory/webapp/ [R,L]

RequestHeader set Host %{my_custom_host}e

RequestHeader set X-Forwarded-Port %{my_server_port}e

#Note: In the following, {my_scheme} requires a module that is supported only by Apache version 2.4 and above:

RequestHeader set X-Forwarded-Proto %{my_scheme}e

RequestHeader set X-Artifactory-Override-Base-Url %{my_scheme}e://artifactory_host:8081/artifactory

ProxyPassReverseCookiePath /artifactory /artifactory

ProxyRequests off

ProxyPreserveHost on

ProxyPass /artifactory/ http://artifactory_host:8081/artifactory/

ProxyPassReverse /artifactory/ http://artifactory_host:8081/artifactory/

In this example, you can see aroot httpd.conffile, which loads themod_auth_kerbmodule by specifying:

LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so

Additionally, for themod_auth_kerbmodule, the modules below arerequiredfor the configuration above to work:

mod_headers

mod_proxy

mod_ssl

mod_rewrite

mod_prox_http

3.Configure Artifactoryto acceptHTTP SSOauthentication based on theREMOTE_USERheader.

Debugging Common Failures

  • Error #1

[Mon Jun 27 13:54:42.271303 2016] [auth_kerb:error] [pid 2301:tid 140157256722176] [client 192.168.99.1:54417] krb5_get_init_creds_password() failed: KDC has no support for encryption type

This could mean that youractive directoryhas not been configured to support theencryption algorithmyou used when generating yourkeytabfile. In the example above, although the-Allvalue was used to indicate that the generated keytab will support all algorithms, you may want to tweak this to useonlythestrongest encryptiontypes.

Step-by-stepinstructionson enabling the variousencryption typessupported by your AD domain is availableHERE. InformationHEREmay also be helpful to you.

  • Error #2

[Mon Jun 27 12:25:10.517382 2016] [auth_kerb:error] [pid 1375:tid 140157248329472] [client 192.168.99.1:52174] failed to verify krb5 credentials: Server not found in Kerberos database

As regards the Apache error log message, “Server not found in Kerberos database," information availableHEREmay be useful to you.

Learn More

  • A goodKerberos overviewis availableHERE.
  • More information about theKerberos Module for Apacheis availableHERE.
  • More information about configuring Apache to use Kerberos authentication is availableHERE.