We had a local network setup with Active Directory. We developed a website which will be hosted and accessible only from the local network. If a user is already logged in to the Active Directory on the OS we would like to have the user automatically signed in on our Wordpress website as soon as they visit it.
When following up documentations only we still where facing issues which we found it very difficult to fix and it took us a lot of time to have such a setup successfully woking. Some of the errors were:
The answer will be listing all the issues that we faced and how we managed to tackle them, in case some on faces the same problems when setting this up.
Create Keytab file on the Active Directory Domain Controller
ktpass -princ HTTP/intranet.domain.com@DOMAIN.COM -pass "{PASSWORD}" -mapuser username@DOMAIN.COM -Ptype KRB5_NT_PRINCIPAL -out website-auth.keytab
/etc/httpd/kerberos-credentials/website-auth.keytab
Install Kerberos Client Libraries On The Web Server:
Configure the Active Directory domain in the Kerberos Configuration file
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = DOMAIN.COM
default_tkt_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-crc aes256-cts-hmac-sha1-96 des-cbc-md5 arcfour-hmac-md5
[realms]
DOMAIN.COM = {
admin_server = DOMAIN.COM
kdc = DOMAIN.COM
}
[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = true
Install the auth_kerb module for Apache
Configure Kerberos SSO for the site directory
LoadModule auth_kerb_module /usr/lib64/httpd/modules/mod_auth_kerb.so
<Directory "/var/www/html">
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "username used in keytab"
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP/intranet.domain.com@DOMAIN.COM
Krb5Keytab /etc/httpd/kerberos-credentials/website-auth.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbVerifyKDC On
require valid-user
</Directory>
Check httpd_can_network_connect on apache
httpd_can_network_connect
setting on he apache server. To do so run:
getsebool -a | grep httpd
getsebool -a | grep httpd
: it was returning httpd_can_network_connect --> off setsebool -P httpd_can_network_connect on
: Enabled the setting Add wordpress website to local intranet on OS
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.