| Thread Previous • Date Previous • Date Next • Thread Next |
Hello,I managed to get Single-Sign-On to webpages to work :) Below there's a quick overview, next thing I'm going to automate this internally and if there are people interested, I'll put more detailed instructions to wiki.
It seems it wasn't that difficult. Our Ubuntu machines already had machine accounts in AD, most if not all connected using a universal joiner account. This account was then used to provide to kinit before I ran msktutil to acquire the Kerberos SPN for the machine.
The Kerberos SPN acquired by msktutil allows to use the name of the machine as the website. DNS CNAMEs can be used to provide an alternative name, but this does not work on all Kerberos implementations (like MIT) and may fail when accessed from behind a proxy, so I added an SPN from the DC to the machine account.
Afterwards, I granted apache read access to /etc/krb5.keytab and setup apache as per mod_auth_kerb module docs.
For multi-domain access, I needed to do a tweak in /etc/krb5.conf that I don't totally understand but it works.
Cheers, Ballock
| Thread Previous • Date Previous • Date Next • Thread Next |
