Single Sign-on for Your Web Applications with Apache and Kerberosby Jason Garman, author of Kerberos: The Definitive Guide
So you now have a fully functioning Kerberos infrastructure. All of your machines, regardless of operating system or architecture, are able to utilize the single sign-on infrastructure that Kerberos provides for some typical services, such as local login and email. However, there are some web applications that you'd now like to provide to your users, and you'd like them to utilize all of the hard work you've put into establishing a Kerberos infrastructure. In short, you want to Kerberize your internal web applications. But how?
Well, unfortunately, the answer is a bit complicated. There have been many
attempts to Kerberize web servers and browsers, starting with NCSA Mosaic
browsers and NCSA
httpd servers that supported Kerberos 4 in the mid '90s.
Today, the most prevalent standard for performing Kerberos authentication is the
HTTP Negotiate mechanism, which is integrated into Microsoft Internet Explorer
and Internet Information Server. There's also a simpler mechanism,
available in patches for Mozilla and Apache, but it is not enabled
by default on either Mozilla or Apache, and it doesn't interoperate with IE and IIS.
To understand how we got into this position, we need to take a few steps back and look at the current state of both Kerberos and web authentication. First, we'll take a look at the current state of Kerberos 5 APIs. Most applications that use Kerberos 5 don't use the Kerberos 5 API directly; instead, they use an abstraction layer "above" Kerberos 5. Most people (well, at least people familiar with programming Kerberos applications) will say that this layer exists to reduce complexity in client and server code, but the real reason behind using this abstraction is that the raw Kerberos 5 APIs are not standardized across implementations; they are subject to change from revision to revision; and, in general, they are a pain to use. And of course, standards being what they are, there's two of these abstraction layers to choose from: GSSAPI and SSPI. GSSAPI, or the "Generic Security Services API," is the API provided by Unix-based Kerberos 5 implementations. SSPI, the "Security Support Provider Interface," is Microsoft's answer to GSSAPI and, of course, available only for Windows 2000 and above.
Now, let's take a look at the state of web authentication today. Those who have worked with web authentication in the past are familiar with Basic, the most common authentication mechanism. Basic authentication is a simple exchange between client and server; the server sends the browser a "realm," to which the client must authenticate. The browser displays this realm string, and prompts the user for a username and password that is valid in the given realm. The browser then passes this username and password back to the server in clear text when it retries the original request. (OK, for the pedants in the audience, the username and password are obfuscated with Base-64.)
Kerberized Web Authentication Today
Of course, we can always jury-rig Basic authentication to work with our Kerberos realm; we can perform the user authentication on the web server, given a Kerberos username and password entered through Basic authentication. Of course, there are some security precautions that must be taken in order to make sure this method is secure. First, the connection between server and browser must be encrypted with SSL to protect the plain-text credentials. And second, the web server should take appropriate precautions, including verifying the user's TGT against a service principal to prevent possible man-in-the-middle attacks on the Kerberos protocol exchange. With the appropriate security measures in mind, this setup will work and, dare I say it, may even be appropriate, in some cases. However, to anyone who has taken the time and effort to establish a Kerberos infrastructure, this "solution" falls well short of what should be possible with a fully Kerberized authentication environment.
The immediate response that comes to mind is to use one of the abstraction layers we discussed above. A set of patches for both Apache and Mozilla implement Kerberos authentication in just this way; the patches use GSSAPI to provide authentication based on Kerberos to Apache and Mozilla. These patches are available at meta.cesnet.cz/software/heimdal/negotiate.en.html.
However, we want to interoperate with Internet Explorer, so let's continue on.
The Simple and Protected Negotiation Mechanism
Microsoft took a slightly more complex approach, for practical reasons. While the default authentication mechanism in Windows 2000 and above is Kerberos, support for NTLM is still required for backward compatibility with NT and earlier operating systems. GSSAPI abstracts out the details of interfacing with different authentication mechanisms, but it doesn't provide a way to negotiate which of the mechanisms to use. Therefore, Microsoft uses SPNEGO, the Simple and Protected Negotiation mechanism. SPNEGO provides a method where server and client can mutually negotiate the best authentication mechanism to use (in this case, NTLM and Kerberos). The use of SPNEGO for web-based authentication is referred to as the HTTP Negotiate protocol. Once the negotiation is finished, then the mutually agreed upon authentication mechanism can begin. In this case, we'll only be compatible with the Windows Kerberos authentication mechanism; it will fail if Windows attempts to use NTLM instead.
In my book, Kerberos: The Definitive Guide, I describe how to use Basic authentication to verify Kerberos passwords over the Web because of a lack of a freely available SPNEGO implementation. However, as the book was going to print, an Apache module that implements SPNEGO was released. While it is still in an early beta status, it does work quite well, and its only real drawback at this point is its cumbersome installation process. I will walk you thought the SPNEGO implementation process in the remainder of this article.
What will this module allow you to do? It will enable Apache-based web servers to allow for transparent domain authentication through Active Directory. Windows-based clients who are logged into an Active Directory domain can now access Apache servers with this module through Internet Explorer, and be transparently authenticated to web applications on the Apache server. Internet Explorer will acquire Kerberos service tickets for the Apache server and use the Negotiate HTTP authentication mechanism to pass a Kerberos service ticket to the Apache server.The prerequisites for implementing this solution are:
A Windows 2000 or above Active Directory domain.
Clients running Internet Explorer on Windows (other browsers don't support the Negotiate protocol yet).
Clients logged into the Active Directory domain.
An Apache server, version 1.3.x (tested with Linux and FreeBSD, Apache 1.3.26 and 1.3.27).
A working Kerberos installation (client libraries and /etc/krb5.conf configuration file) on the Apache server machine (tested with MIT Kerberos 1.2.3, 1.2.8).
mod_auth_gss_krb5module from modgssapache.sourceforge.net.
Pages: 1, 2