How to Use Kerberos Authentication on NGINX Web-Server

Introduction

This guide explains how to configure NGINX as a proxy for Kerberos authentication using the stream module. It applies only to CentOS/RedHat-based systems. The configuration allows forwarding authentication requests to the Kerberos Key Distribution Center (KDC), supporting SSO access to systems like Easy8.

Target Audience

• Administrator

Prerequisites

Before starting, ensure you have:

• A CentOS/RedHat system with NGINX installed
• Access to Kerberos KDC (e.g., kdc01.easyproject.com)
• Sudo or root privileges
• If using Active Directory, ensure client browser configuration allows Kerberos SSO

How to Configure NGINX for Kerberos Authentication

Step 1: Verify NGINX is Installed

nginx -v

Step 2: Check for ngx_stream_module

nginx -V

Look for --with-stream=dynamic in the output.

If it is missing, uninstall NGINX and reinstall it from source or an appropriate RPM. You can search for packages at:
rpmfind.net

Step 3: Locate ngx_stream_module.so

cd /
find / -name ngx_stream_module.so

Example path: /usr/lib64/nginx/modules/ngx_stream_module.so

Step 4: Configure NGINX

vim /etc/nginx/nginx.conf

Paste the following (adjust the module path if needed):

user nginx;
worker_processes 1;
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
  worker_connections 1024;
}

stream {
  error_log /var/log/nginx/stream_error.log debug;

  server {
    listen 88;
    proxy_pass kdc01.easyproject.com:88;
  }

  server {
    listen 749;
    proxy_pass kdc01.easyproject.com:749;
  }
}

Step 5: Enable and Start NGINX

systemctl enable nginx
systemctl start nginx

Step 6: Check Listening Ports

netstat -tupnl | grep nginx

NGINX is now ready to forward Kerberos-related traffic.

Web Client Configuration (for Active Directory)

To allow browser-based Kerberos SSO, add your domain (e.g., easyproject.com) to trusted locations:

• Internet Explorer / Edge / Chrome (inherits from IE):
  • Tools → Internet Options → Security → Local Intranet → Sites → Advanced → Add domain
• Firefox:
  • Go to: about:config
  • Edit:
    • network.negotiate-auth.trusted-uris
    • network.automatic-ntlm-auth.trusted-uris
    Add: easyproject.com

Debugging

To verify that Easy8 receives SSO data:

1. Visit: https://www.easyproject.com/sso_variables
2. Check:
   • Current value
   • Current login
   • Current user in DB
   These should reflect the authenticated user.

Conclusion

You have successfully configured NGINX with Kerberos support using the stream module. With browser and server configurations complete, users can now benefit from SSO access to protected applications like Easy8.

Related Topics and Further Reading

• Easy8 Documentation
• Find NGINX Packages with ngx_stream_module
• NGINX Official Documentation