Start free trial
en
Language
  • en
  • cs
  • hu
  • de
  • fr
  • es
  • br
  • ru
  • kr
  • jp
AI translation
  • it
  • pl
  • tr
Easy8
Resources
Documentation
Administration
How to Use Kerberos Authentication on Apache2 Web-Server

How to Use Kerberos Authentication on Apache2 Web-Server

Introduction

This guide will show you how to configure Apache2 to use Kerberos authentication. This allows Single Sign-On (SSO) for users in a Kerberos realm, enabling secure, password-free access to your web application such as Easy8.

Target Audience

  • Administrator

Prerequisites

Before starting, ensure you have:

  • A working Kerberos server (MIT or AD-based)
  • Apache2 web server installed
  • Root or sudo access
  • Keytab file for the HTTP service principal
  • SPNs set if using Active Directory

How to Set Up Kerberos Authentication on Apache2

Step 1: Install the Required Module

Debian-based systems:

apt-get install libapache2-mod-auth-kerb

Red Hat-based systems:

yum install mod_auth_kerb

If not loaded automatically, add manually:

LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so

Step 2: Create a Service Principal

kadmin -p manager/admin -q "addprinc -randkey HTTP/www.easyproject.com"

Step 3: Create the Keytab File

Debian:


kadmin -p manager/admin -q "ktadd -k /etc/apache2/http.keytab HTTP/www.easyproject.com"
chown www-data /etc/apache2/http.keytab

Red Hat:


kadmin -p manager/admin -q "ktadd -k /etc/httpd/http.keytab HTTP/www.easyproject.com"
chown apache /etc/httpd/http.keytab

If using Active Directory, use the generated http.keytab from Windows.

Step 4: Test the Keytab


kinit -k -t /etc/apache2/http.keytab HTTP/www.easyproject.com
klist

Step 5: Configure Apache Authentication


<Location />
  AuthType Kerberos
  AuthName "EasyProject"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  Krb5Keytab /etc/apache2/http.keytab
</Location>

For Active Directory:


<Location />
  KrbAuthRealms EASYPROJECT.COM
  KrbServiceName HTTP/www.easyproject.com
</Location>

Step 6: Define Access Rules

Specific users:


<Location />
  Require user dougal@EASYPROJECT.COM brian@EASYPROJECT.COM ermintrude@EASYPROJECT.COM dylan@EASYPROJECT.COM
</Location>

All valid users:


<Location />
  Require valid-user
</Location>

Step 7: Reload Apache Configuration

service apache2 force-reload

Conclusion

You have now configured Apache2 to use Kerberos authentication. This setup allows secure, password-free login for users in your Kerberos realm and is compatible with both MIT Kerberos and Active Directory environments.

Related Topics and Further Reading

Try Easy8 in 30 days free trial

Access all features, SSL protected, no credit card required.