Single Sign On for Apache 2.2 and Active Directory 2003 R2 with SuSE 10.2, mod_auth_kerb and MIT Kerberos

this is a small howto out of my needs, suggestions are always welcome!

  1. Assumptions for this paper
    1. You know and basically follow, but there are some facts missing/wrong.
    2. 2003R2 KDC’s are and (DNS: and
    3. Kerberos Realm for ADS is ADS.EXAMPLE.COM (upper case required!)
    4. Web server (hostname.domain) is
    5. DNS and reverse DNS on and for the machine in FQDN works, verified with “dig” and “dig -x”

  2. Used packages on the web server
    1. rpm
      1. krb5
      2. krb5-apps-clients
      3. krb5-client
      4. krb5-devel
      5. apache2
      6. apache2-prefork
      7. apache2-devel
      8. libapr1
      9. libapr1-devel
      10. libapr-util1
      11. libapr-util1-devel
      12. libtool
      13. libltdl
    2. tarball
      1. mod_auth_kerb-5.3.tar.gz from
  3. Doing “web server”
    1. Install all rpm’s as root with “yast2 sw_single”.
    2. Before continuing, repeat the YaST online update as often as it finds new updates
    3. Create the Kerberos principal inside AD
    4. Let your AD admin create a user with name “httpd_webhostname” and basic rights, e.g. for browsing the domain and let him specify a password for the user.
      Pitfall: AD 2003 seems to be buggy, per definition this step should be enough. But since the user creation routine seems to be internally different from the user password change routine, at user creation time there is no Kerberos key created for the user. So:
    5. Let the AD admin change the created user’s password
    6. This command has to be executed on the Domain Controller of the ADS with domain admin rights (the ktpass.exe is described under
      -princ HTTP/
      -mapuser httpd_webhostname
      -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
      -mapop set +DESONLY -pass ThIsIsMyPaSsWoRd
      -out C:\apache001.ktab
    7. Copy or move the C:\apache.ktab to /etc/apache2/apache.ktab on the web server and change it’s owner to wwwrun (or any other use Apache 2 will run as) and the mode to 600 (rw for owner)
    8. The Kerberos client setup
    9. Make your /etc/krb5.conf look like
        default_realm = ADS.EXAMPLE.COM
        ADS.EXAMPLE.COM = {
          kdc =
          kdc =
        kdc = /var/log/krb5/krb5kdc.log
        admin_server = /var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
      [domain_realm] = ADS.EXAMPLE.COM = ADS.EXAPMLE.COM

It’s just a short overview, take it as my Best Practise.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply