LADP - Apache 上的 Kerberos 设置与 Wordpress 单点登录不起作用

Question

We had a local network setup with Active Directory. We developed a website which will be hosted and accessible only from the local network. If a user is already logged in to the Active Directory on the OS we would like to have the user automatically signed in on our Wordpress website as soon as they visit it.

When following up documentations only we still where facing issues which we found it very difficult to fix and it took us a lot of time to have such a setup successfully woking. Some of the errors were:

• gss_acquire_cred() failed: Unspecified GSS failure. no key table entry found
• failed to verify krb5 credentials: Key Version is not available

The answer will be listing all the issues that we faced and how we managed to tackle them, in case some on faces the same problems when setting this up.

Answer 1

Create Keytab file on the Active Directory Domain Controller

• This is something that we did not do ourselves but provided the command to an Active Directory expert in order to execute the below command. This command is case sensitive, therefore it is very important that if the domain is in uppercase (as in example below), it is also executed with uppercase domain on the active directory.
• Command
  • ktpass -princ HTTP/intranet.domain.com@DOMAIN.COM -pass "{PASSWORD}" -mapuser username@DOMAIN.COM -Ptype KRB5_NT_PRINCIPAL -out website-auth.keytab
• From the ktpass command:
  • intranet.domain.com - Was our wordpress website url
  • DOMAIN.COM - Is the Active directory domain
  • {PASSWORD} - any random password eg UjhmPz5UPwx2VhQir7
    • Please note this is very important : since we had an issue with the passwords. Once the ktpass is created, do not change the password for the related service user account in the active directory. Every time a service account password is changed through active directory the keytab version on active directory is also updated and you won't be able to authenticate unless you update the keytab file on apache as well. Therefore if you change the password to a new one and then revert back to the old you would still have authentication issues (even though the password is now reverted back to original value). More info here: https://support.oneidentity.com/fr-fr/kb/33866/when-does-the-vno-in-host-keytab-change-
  • username@DOMAIN.COM - service account of the Active Directory
    • The account password should have a password set to Not Expired.
    • The account should be trusted for delegation.
  • website-auth.keytab - the filename of the generated keytab. we stored it at /etc/httpd/kerberos-credentials/website-auth.keytab
• Copy the Keytab file from AD Domain Controller to the web server hosted on Apache.

Install Kerberos Client Libraries On The Web Server:

• sudo apt-get install krb5-user (Ubuntu)
• yum install krb5-workstation krb5-libs krb5-auth-dialog (Centos)

Configure the Active Directory domain in the Kerberos Configuration file

• Update the /etc/krb5.conf
• I am pasting our config file template below. It was very important for us to update the enctypes parameters since the default config file did not include the enctype of the keytab generated from active directory and it was causing issues with authentication. In this sample I am including all the enctypes that I managed to find from my research.

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = DOMAIN.COM
 default_tkt_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
 default_tgs_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
 permitted_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5

[realms]
 DOMAIN.COM = {
   admin_server = DOMAIN.COM
   kdc = DOMAIN.COM
 }

[domain_realm]
 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM

[login]
 krb4_convert = true
 krb4_get_tickets = true

Install the auth_kerb module for Apache

• Ubuntu:
  • sudo apt-get install libapache2-mod-auth-kerb
  • a2enmod auth_kerb
  • Restart apache
• Centos:
  • yum install mod_auth_kerb
  • Restart apache: systemctl restart apache2

Configure Kerberos SSO for the site directory

• Ubuntu: Edit the /etc/apache2/sites-enabled/000-default.conf file
• Centos: Edit the auth_kerb.conf configuration file in the /etc/httpd/conf.d/ folder
• We were working on Centos, so I do not have the exact configuration for Ubuntu but it should be quite similar to the Centos config. A template of our configuration file is:
• After setting the configuration file, apache needs to be restarted once again

LoadModule auth_kerb_module /usr/lib64/httpd/modules/mod_auth_kerb.so

<Directory "/var/www/html">
Order allow,deny
Allow from all

AuthType Kerberos
AuthName "username used in keytab"
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP/intranet.domain.com@DOMAIN.COM
Krb5Keytab /etc/httpd/kerberos-credentials/website-auth.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC On
require valid-user
</Directory>

Check httpd_can_network_connect on apache

• After the above setup we thought we were ready but still could not have the authentication work from the website.
• After some research we noticed that we need to enable the httpd_can_network_connect setting on he apache server. To do so run:
  • getsebool -a | grep httpd getsebool -a | grep httpd : it was returning httpd_can_network_connect --> off
  • setsebool -P httpd_can_network_connect on : Enabled the setting
  • Restart apache service
  • Information fetched from LDAP works with PHP CLI but not through apache

Add wordpress website to local intranet on OS

• To integrate Wordpress with kerberos we used a ready made premium plugin, but unfortunately not everything worked as smooth as we thought. With the above setup, when we were trying to access our wordpress website, the browser was popping up a default authentication dialog box. This was not the desired result since we wanted to have the user automatically logged in if they are logged in on the Active Directory. This was being caused because the windows machine we were testing on did not have our wordpress website listed in the Local Intranets configuration. To add a website to the local intranet:
  • Go to Control Panel
  • Go to Internet Options
  • Click on the Security tab
  • Click on the Local Intranet icon
  • Click on Sites
  • Click on Advanced button
  • Add the Wordpres site url