How to handle different servernames with SPN, apache2 on OpenShift, and kerberos SSO auth

Question

I'm trying to create a generic apache2 webserver as an authentication "gateway".

Scenario: Someone browses to spn-servername.active-directory.int/secure, apache should try to use kerberos to verify the user (best case with SSO) and redirect him to a backend / another webservice.

It works to the point where the auth and SSO are successful but I don't know how to generalize it for different containers on OpenShift and use the same Active Directory user.

The problem is, if I change the servername of the container and the apache conf servername, auth still works but SSO fails. I guess it's because the SPN of the active directory user and the servername are different? I want to deploy different applications with different servernames without changing the user/keytab.

What is the best practice to configure multiple apache authentication gateways with different hostnames but with the same Active Directory user?

000default.conf

<VirtualHost *:80>
  ServerName generic-hostname.active-directory.int

  DocumentRoot "/var/www/html"

    <IfModule !mod_auth_kerb.c>
        LoadModule auth_gssapi_module /usr/lib/apache2/modules/mod_auth_gssapi.so
    </IfModule>

  LimitRequestFieldSize 32768
  <Location "/secure">
    AuthType GSSAPI
    AuthName "GSSAPILogin"
    GssapiBasicAuth On
    GssapiCredStore keytab:/etc/http.keytab
    require valid-user
  </Location>

  LogLevel debug
  ErrorLog /var/log/apache2/sso.test.local-error.log
  CustomLog /var/log/apache2/sso.test.local-access.log combined
</VirtualHost>

keytab generation:

ktpass -princ HTTP/spn-servername.active-directory.int@active-directory.int -mapuser sysaccount99@active-directory.int -pass mysecret -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\Temp\http.keytab

Active Directory user:

displayName: sysaccount99
sAMAccountName: sysaccount99
userPrincipalName: HTTP/spn-servername.active-directory.int@active-directory.int
servicePrincipalName: : HTTP/spn-servername.active-directory.int@active-directory.int and HTTP/spn-servername.active-directory.int

/var/log/apache2/sso.test.local-error.log if SSO not working:

[Wed Jan 08 14:00:11.964555 2020] [core:trace5] [pid 871:tid 139656674920192] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.964643 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.964649 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.964652 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.964655 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.964658 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.964661 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.964664 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Connection: keep-alive
[Wed Jan 08 14:00:11.964667 2020] [http:trace4] [pid 871:tid 139656674920192] http_request.c(398): [client 192.168.56.1:55607]   Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.964707 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964713 2020] [authz_core:debug] [pid 871:tid 139656674920192] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.964728 2020] [auth_kerb:debug] [pid 871:tid 139656674920192] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.964734 2020] [core:trace3] [pid 871:tid 139656674920192] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.964796 2020] [http:trace3] [pid 871:tid 139656674920192] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.964804 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1136): [client 192.168.56.1:55607]   Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.964807 2020] [http:trace5] [pid 871:tid 139656674920192] http_filters.c(1139): [client 192.168.56.1:55607]   Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.964810 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Negotiate
[Wed Jan 08 14:00:11.964813 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.964816 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Content-Length: 479
[Wed Jan 08 14:00:11.964819 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Keep-Alive: timeout=5, max=100
[Wed Jan 08 14:00:11.964822 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Connection: Keep-Alive
[Wed Jan 08 14:00:11.964824 2020] [http:trace4] [pid 871:tid 139656674920192] http_filters.c(958): [client 192.168.56.1:55607]   Content-Type: text/html; charset=iso-8859-1
[Wed Jan 08 14:00:11.974410 2020] [core:trace5] [pid 871:tid 139656658134784] protocol.c(653): [client 192.168.56.1:55607] Request received from client: GET /secure/ HTTP/1.1
[Wed Jan 08 14:00:11.974456 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(394): [client 192.168.56.1:55607] Headers received from client:
[Wed Jan 08 14:00:11.974469 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Host: generic-hostname.active-directory.int
[Wed Jan 08 14:00:11.974473 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0
[Wed Jan 08 14:00:11.974476 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
[Wed Jan 08 14:00:11.974479 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept-Language: de,en-US;q=0.7,en;q=0.3
[Wed Jan 08 14:00:11.974482 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Accept-Encoding: gzip, deflate
[Wed Jan 08 14:00:11.974484 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Connection: keep-alive
[Wed Jan 08 14:00:11.974487 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Upgrade-Insecure-Requests: 1
[Wed Jan 08 14:00:11.974490 2020] [http:trace4] [pid 871:tid 139656658134784] http_request.c(398): [client 192.168.56.1:55607]   Authorization: Negotiate TlRMLLVNTUAABAAKKl4II4gAAAAAAAABBBBBBBBAAAAGA4AlAAAADw==
[Wed Jan 08 14:00:11.974524 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974529 2020] [authz_core:debug] [pid 871:tid 139656658134784] mod_authz_core.c(809): [client 192.168.56.1:55607] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 08 14:00:11.974561 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1971): [client 192.168.56.1:55607] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Jan 08 14:00:11.974598 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1722): [client 192.168.56.1:55607] Verifying client data using KRB5 GSS-API 
[Wed Jan 08 14:00:11.974671 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1738): [client 192.168.56.1:55607] Client didn't delegate us their credential
[Wed Jan 08 14:00:11.974676 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1766): [client 192.168.56.1:55607] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Wed Jan 08 14:00:11.974681 2020] [auth_kerb:debug] [pid 871:tid 139656658134784] src/mod_auth_kerb.c(1159): [client 192.168.56.1:55607] GSS-API major_status:00010000, minor_status:00000000
[Wed Jan 08 14:00:11.974688 2020] [auth_kerb:error] [pid 871:tid 139656658134784] [client 192.168.56.1:55607] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[Wed Jan 08 14:00:11.974696 2020] [core:trace3] [pid 871:tid 139656658134784] request.c(119): [client 192.168.56.1:55607] auth phase 'check user' gave status 401: /secure/
[Wed Jan 08 14:00:11.974712 2020] [http:trace3] [pid 871:tid 139656658134784] http_filters.c(1129): [client 192.168.56.1:55607] Response sent with status 401, headers:
[Wed Jan 08 14:00:11.974716 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1136): [client 192.168.56.1:55607]   Date: Wed, 08 Jan 2020 14:00:11 GMT
[Wed Jan 08 14:00:11.974718 2020] [http:trace5] [pid 871:tid 139656658134784] http_filters.c(1139): [client 192.168.56.1:55607]   Server: Apache/2.4.18 (Ubuntu)
[Wed Jan 08 14:00:11.974722 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   WWW-Authenticate: Basic realm=\\"
[Wed Jan 08 14:00:11.974725 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Content-Length: 479
[Wed Jan 08 14:00:11.974731 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Keep-Alive: timeout=5, max=99
[Wed Jan 08 14:00:11.974734 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Connection: Keep-Alive
[Wed Jan 08 14:00:11.974737 2020] [http:trace4] [pid 871:tid 139656658134784] http_filters.c(958): [client 192.168.56.1:55607]   Content-Type: text/html; charset=iso-8859-1

Thx for your reply. can you tell me why one does not use mod_auth_kerberos. I think the SSO feature is quite neat. — schumischumi, Jan 13 '20 at 07:29
One does use https://github.com/modauthgssapi/mod_auth_gssapi these days. — Michael-O, Jan 13 '20 at 10:59
Thx for your input. I switched to mod_auth_gssapi, but the problem stays the same. how can I use hostnames/servernames that are not in the SPN of the keytab user? — schumischumi, Jan 15 '20 at 08:51
Based on your log output, Kerberos is not used at all. I assume that the SPN has not been assigned properly. Please do the following first: `kinit ` and the `kvno HTTP/fqdn` and post the output. — Michael-O, Jan 15 '20 at 13:00

How to handle different servernames with SPN, apache2 on OpenShift, and kerberos SSO auth

0 Answers0