Configuring Kerberos/NTLM Authentication for Apache HTTP Server on Linux with Active Directory Integration


2 views

When deploying PHP applications on Linux servers in a Windows domain environment, implementing Integrated Windows Authentication (IWA) presents unique challenges. The core requirement is establishing trust between Apache on Linux and Windows Active Directory.

The most robust modern solution involves using mod_auth_gssapi (successor to mod_auth_kerb) combined with Samba's winbind:

# Install required packages
sudo apt-get install krb5-user libapache2-mod-auth-gssapi samba winbind

First configure Kerberos by editing /etc/krb5.conf:

[libdefaults]
    default_realm = YOURDOMAIN.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
    YOURDOMAIN.COM = {
        kdc = dc.yourdomain.com
        admin_server = dc.yourdomain.com
    }

Configure /etc/samba/smb.conf:

[global]
    workgroup = YOURDOMAIN
    realm = YOURDOMAIN.COM
    security = ads
    idmap config * : backend = tdb
    idmap config * : range = 10000-20000
    winbind use default domain = yes
    winbind offline logon = false

Enable the modules and configure authentication:

# Enable required modules
sudo a2enmod auth_gssapi
sudo a2enmod authnz_ldap

# Virtual host configuration example
<Location /secure>
    AuthType GSSAPI
    AuthName "Kerberos Authentication"
    GssapiCredStore keytab:/etc/apache2/http.keytab
    GssapiLocalName on
    Require valid-user
</Location>

Retrieve authenticated user in PHP:

<?php
if (isset($_SERVER['REMOTE_USER'])) {
    $user = $_SERVER['REMOTE_USER'];
    echo "Authenticated as: ".htmlspecialchars($user);
} else {
    header('HTTP/1.1 401 Unauthorized');
    echo 'Authentication required';
}
?>
  • Verify keytab permissions: sudo chmod 640 /etc/apache2/http.keytab
  • Check Kerberos ticket: klist -ket /etc/apache2/http.keytab
  • Test Winbind: wbinfo -u should list domain users

For environments where Kerberos isn't feasible, consider:

  1. Shibboleth SP with AD integration
  2. LDAP authentication (simple bind)
  3. OAuth2/OIDC proxy with AD FS

Setting up Integrated Windows Authentication (IWA) for PHP applications running on Apache/Linux when authenticating against a Windows Domain Controller presents several technical challenges. The most common approaches rely on either Kerberos or NTLM authentication protocols.

While mod_auth_kerb and mod_auth_ntlm_winbind exist as potential solutions, their outdated status (last updated in 2007-2008) raises concerns about security and compatibility with modern systems.

The most reliable current solution involves using mod_auth_gssapi (the successor to mod_auth_kerb) combined with proper Kerberos configuration:

# Install required packages on Debian/Ubuntu
sudo apt-get install libapache2-mod-auth-gssapi krb5-user

1. Configure Kerberos (/etc/krb5.conf):

[libdefaults]
    default_realm = YOURDOMAIN.COM
    ticket_lifetime = 24h
    renew_lifetime = 7d
    
[realms]
    YOURDOMAIN.COM = {
        kdc = dc.yourdomain.com
        admin_server = dc.yourdomain.com
    }

2. Apache configuration (/etc/apache2/sites-available/your-site.conf):

<Location /secure-area>
    AuthType GSSAPI
    AuthName "Windows Authentication"
    GssapiCredStore keytab:/etc/apache2/http.keytab
    Require valid-user
</Location>

On your Windows Domain Controller, create a service principal and export the keytab:

ktpass -princ HTTP/webserver.yourdomain.com@YOURDOMAIN.COM -mapuser apachesvc 
       -pass MyPassword -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL 
       -out http.keytab

Then copy the keytab to your Linux server at /etc/apache2/http.keytab with proper permissions.

To access the authenticated user in PHP:

<?php
if (isset($_SERVER['REMOTE_USER'])) {
    $user = $_SERVER['REMOTE_USER'];
    // Process domain\username format if needed
    $user = preg_replace('/^.*\\\\/', '', $user);
    echo "Authenticated as: " . htmlspecialchars($user);
}
?>

For environments where Kerberos isn't feasible, you can configure Samba's winbind:

# Install required packages
sudo apt-get install winbind libapache2-mod-auth-ntlm-winbind

# Configure smb.conf
[global]
   workgroup = YOURDOMAIN
   security = ads
   realm = YOURDOMAIN.COM
   winbind use default domain = yes
   winbind offline logon = false
  • Verify Kerberos tickets with klist
  • Check Apache error logs for GSSAPI-related messages
  • Use wireshark or tcpdump to examine authentication traffic
  • Test basic Kerberos functionality with kinit username@DOMAIN.COM