apache using mod_auth_kerb always asks for the password twice

Solution 1

I don't know if you still need the answer, but I hope I will help someone else by sharing my experience. I believe if you follow theese steps, everything will work fine.

1. Make sure you have proper DNS entry for SYD01TBUG02 (A record) on your DNS server pointing to your webserver
2. Make sure that you've you have assosiation between SPN of your webservice and AD user. On AD server run this command:

   setspn -A HTTP/SYD01TBUG02.onevue.com.au.local ad_username

3. Make sure that you've proper keytab generated. Run this command in your AD server:

   ktpass -princ HTTP/[email protected] -mapuser ad_username -pass xxxxxx -crypto ALL -ptype KRB5_NT_PRINCIPAL -out SYD01TBUG02.keytab -setupn -setpass

   where xxxxxx is AD user password. We use -crypto ALL option to make sure we add all supported hashes to the keytab file.
4. Now you should copy generated SYD01TBUG02.keytab file to your webserver and copy it to the certain directory. For example, let's copy it to the /etc/apache2/keytab/ folder.
5. Example of apache config file for webservice:

   &ltVirtualHost *:80>
       DocumentRoot "/var/www/kerberos"
       ServerName SYD01TBUG02.onevue.com.au.local
       ServerAlias SYD01TBUG02
       AddDefaultCharset UTF-8
       DirectoryIndex index.php
       ErrorLog /var/log/apache2/error_SYD01TBUG02.log
       TransferLog /var/log/apache2/transfer_SYD01TBUG02.log
       LogLevel warn
       ServerAdmin [email protected]
       
       &ltLocation "/">
           AuthType Kerberos
           KrbAuthRealms ONEVUE.COM.AU.LOCAL
           KrbServiceName HTTP/[email protected]
           Krb5Keytab /etc/apache2/keytab/SYD01TBUG02.keytab
           KrbMethodNegotiate on
           KrbMethodK5Passwd on
           KrbVerifyKDC on
           require valid-user    
       &lt/Location>
       &ltDirectory />
       &lt/Directory>
   &lt/VirtualHost> 
   

Reload or restart apache sudo service apache2 reload
6. Now if you type http://SYD01TBUG02/ in your browser address bar, you will be automatically logged in your web service via SSO (Chrome, Chromium-like browsers and IE support SSO out of box, but there is also a plugin for Firefox).

Hope that will help to set up your Kerberos auth on webserver.

P.S. If you want to enable SSO by full address (e.g. SYD01TBUG02.onevue.com.au.local) you should add SYD01TBUG02.onevue.com.au.local to the intranet zone either via AD Group Policies (if wou need this on several machines in domain) or locally via Internet Explorer settings. Theese settings affect on all browsers installed in system.

Solution 2

That's because the first time the user enters u/p an ntlm token is sent to the server. The second time it's the correct kerberos token.

Unfortunately there is no way you can eliminate the first prompt.

Related videos on Youtube

10 : 39

How to Setup Password Authentication with Apache in Ubuntu

LinuxHelp

6

03 : 47

apache using mod_auth_kerb always asks for the password twice (3 Solutions!!)

Roel Van de Paar

5

37 : 25

Migrating from AJP to HTTP: It's About Time

TheApacheFoundation

1

04 : 04

XAMPP apache port 80 is being used by another application

Code Amir

1

06 : 00

Concurrent http requests using Apache Http Client Part-3

Brainstorming with alok

1

Author by

DrStalker

Not my real birthdate.

Updated on September 18, 2022