0

Trying to stand up a LAMP server on a Windows AD and get passthrough authentication working. One gotcha (which may not be as big of a deal as I'm making it), the hostname and hosted URL do NOT match: LAMP hostname is intranethost.mspca.org, hosted URL is https://testintranet.mspca.org

AD is forest/domain level 2012R2.

LAMP is Debian 11.8 with mod_auth_gssapi installed with Apache. The LAMP does NOT have Samba installed, and is NOT a member of the AD domain (wasn't sure if that was necessary).

Created a keyspan file from the Windows DC with the following:

ktpass -princ HTTPS/[email protected] -mapuser [email protected] -pass ******** -ptype KRB5_NT_PRINCIPAL -out testintranet-spn.keytab

My realm is added correctly into krb5.cnf, kinit from the LAMP passes with flying colors.

Apache conf (based on a tutorial at https://www.jfcarter.net/%7Ejimc/documents/bugfix/41-auth-kerb.html):

<IfModule !mod_auth_gssapi.c> LoadModule auth_gssapi_module /usr/lib64/httpd/modules/mod_auth_gssapi.so </IfModule> <VirtualHost *:80> ServerName testintranet.mspca.org # Redirect permanent / https://testintranet.mspca.org/ </VirtualHost> <VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/ssl/certs/star_mspca_org.crt SSLCertificateKeyFile /etc/ssl/private/star_mspca_org.key ServerAdmin [email protected] ServerName testintranet.mspca.org DocumentRoot /var/www/html/wordpress/ <Directory "/var/www/html/wordpress/"> AllowOverride All AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiSSLonly On GssapiAllowedMech krb5 GssapiBasicAuth On GssapiCredStore keytab:/etc/apache2/testintranet-spn.keytab GssapiLocalName On BrowserMatch Windows gssapi-no-negotiate Require valid-user GssapiNegotiateOnce on </Directory> ErrorLog ${APACHE_LOG_DIR}/wordpress.error.log CustomLog ${APACHE_LOG_DIR}/wordpress.access.log combined LogLevel info auth_gssapi:debug ssl:warn </VirtualHost>

The authentication itself is in fact working, but I still get the initial login prompt for the site. It's not carrying the currently logged in creds over to the session. I've added every permutation of the site (http/s, short name, FQDN) into a GPO for the Intranet security-level page, but chrome is still stubbornly displaying the login dialog. Only 'error' in the Apache logs is the ever-helpful NO AUTH DATA Client did not send any authentication headers

Flipping GssapiBasicAuth to OFF eliminates the dialog, but I immediately get a 401 Unauthorized, so it's like it isn't even trying to pass the headers...

Any suggestions?

Improve this question
1
  • If Chrome is not sending a W3 auth header with a Kerberos token from the logged on session in response to the 401, you may want to try the Chrome specific GPOs in the following article. specopssoft.com/blog/… Commented Oct 26, 2023 at 16:56

1 Answer 1

Reset to default
0

This little guy:

BrowserMatch Windows gssapi-no-negotiate

I swear, I saw on multiple sites "if you don't have this line, Windows clients won't work..."

I took that line out, now it works 100% as expected. The authentication passes through from the currently logged in Windows users (through Chrome to a FQDN internal host) just fine.

Just in case some future Google search leads someone here...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.