Using Kerberos for SSO on Webpages

Question

I'm not very practised in using Kerberos. But I want to implement a single-sign-on with Kerberos.

The aim I want to achieve is, that you only have to login with Windows 7 and then open the browser and there is no other authetification required, e.g. for a intranet. Is this possible?

Kerberos is using tickets. The first step is geting the ticket granting ticket, isn't it? And Windows Server is using Kerberos for authentification. So is there a ticket granting ticket after the login in Windows? Can I use this (if there is one) for getting a service ticket for other services?

Another question is about apache: When I use Kerberos with a linux server, I need a mod named mod_auth_kerb, isn't it? If this is installed on my linux server, can I use Kerberos-authentification? If there is a intranet on the linux server, how is it possible to authentificate with kerberos. Should I authentificate in the PHP code or is it e.g. possible to "learn" apache to authentificate in some way?

Thanks a lot for helping :)

Kind regards, Wuz

Answer 1

Yes, this is all possible and done all the time. When you log into a domain account, Windows acquires a Kerberos credential (ticket-granting ticket or TGT) from a domain controller using your password, which in turn allows you to get tickets for other services without re-entering your password. You can see the TGT and any other tickets you have for specific services with klist.exe. Web browsers use the HTTP Negotiate exchange to send a ticket to the web server, which the server can use to identify you (an optional return token can also authenticate the server to the client). The server must be a member of the same Kerberos realm, or one which has a chain of realm trusts to yours.

mod_auth_kerb is the most common module used for Kerberos authentication in Apache. You would add a Kerberos principal for the web server to an AD account using setspn.exe, of the form HTTP/server-hostname. Then create a file holding that principal's keys, called a "keytab," using ktpass.exe on Windows or a program like ktutil on Unix (for which you need the AD account's password). The mod_auth_kerb configuration refers to the keytab. mod_auth_kerb sets the environment variable REMOTE_USER to the client's identification, and you would just read that in your application (PHP code in this case).

You must configure the web browser to actually use HTTP Negotiate authentication, the details of which vary from one browser to another.

This is just answering your immediate questions in a high-level way; there are lots of other details involved, of course, since you're dealing with a whole infrastructure and several parts which have to be coordinated: Kerberos, DNS names, principal names, browser configuration, Apache, etc.

By the way: the word in English is "authenticate," not "authentificate."