Deploying mod_spnego

SPNEGO is a negotiated authentication mechanism for HTTP which can be used to take advantage of Kerberos credentials for web site login (an alternative to simple username/password, or client digital certificates).

The reference implementation for Apache, mod_spnego, can be downloaded from SourceForge and contains straightforward build instructions. It’s also possible to use Stanford WebAuth in SPNEGO mode.

To build the module you need development libraries for the following (I’ve added the SLES package names, for reference):

  • openssl (libopenssl-devel)
  • krb5 (krb5-devel, krb5-devel-32bit)
  • apache (apache2-devel)

Follow the instructions in the module source. On SLES, be sure to run the apxs command as root, because it goes and installs the module directly after compilation.

Enabling the module is again quite straightforward:

    Krb5AuthEachReq Off
    <Directory "/foo/bar/quux">
        AllowOverride AuthConfig
        Krb5KeyTabFile /etc/apache2/HTTP.keytab
        Krb5ServiceName HTTP
        AuthType SPNEGO
        Require valid-user
    </Directory>

You’ll need to install a keytab for the HTTP service principal. The method differs depending on the type of KDC you have, but for Windows AD this would be:

net ads -U 'username@realm%password' keytab add HTTP

As verification I wrote a simple Perl CGI script to echo back $ENV{REMOTE_USER} which emitted user@REALM, as expected.

Sadly when testing this out I found the use of SPNEGO is not enabled by default in all browsers (for example, Google Chrome). A managed desktop seems the only way to ensure the user has both kerberos credentials and a browser started with the correct features enabled. Otherwise, it’d be just too much work?

This entry was posted in devops, kerberos, windows. Bookmark the permalink.

Comments are closed.