BackgroundApache is the de facto Web Server for many apps and organizations have the challenge of providing access to enterprise users that are very likely coming with Active Directory credentials; not an issue for Centrify customers because fortunately, every centrified Unix/Linux system has a single, secure connection to AD.
This approach results in centralized administration, streamlined authentication, policy enforcement and role-based access controls (privileged management) and since the underlying technology simplified AD connectivity by leveraging native features and topologies (sites and services, global catalogs, subnets, one-way or cross-forest trusts, DC telemetry and caching)
In order to extend these benefits to web apps, Centrify offers the Apache HTTP SSO plugin that natively extends the authentication mechanisms of Apache to provide SPNEGO via the GSSAPI; the result is having the capability of Windows Integrated Authentication in UNIX/Linux-based Apache servers.
Translation: SSO via Kerberos or NTLM, authorization based on AD principals and the exposure of AD-attributes via native Apache APIs. This post covers how to install the Apache plugin on a centrified server, how to get the sample application up and running, and how to incorporate it to existing Apache sites (we'll use phpPgAdmin as an example).
What is SPNEGO?SPNEGO stands for "simple and protected GSSAPI negotiation mechanism" microsoft likes to call it IWA (Integrated Windows Authentication) and basically enables the capability for a browser to negotiate the authentication mechanism based on capabilities. If configured correctly, the browser will attempt to use Kerberos, downgrade to NTLM if not possible fall back to basic authentication. This means that for any Authenticated AD session, provided the browser is configured correctly the user will get SSO, otherwise they will get challeged via NTLM.
What you'll need
- A Centrified Unix/Linux system running Apache
Joined to the domain either in zone or workstation mode.
- Apache HTTP server running
You need to know the version and architecture to obtain the right version.
- A domain joined PC system to test access from an authenticated Windows system (or a centrified Mac) with a web browser (SPNEGO is not available on Safari)
Implementation StepsInformation gathering
- Collect the OS version, architecture, version of Centrify adclient and if an SPN for HTTP is registered
uname -a, adinfo -v and adinfo -C | grep http provide that information
- Collect the service status, version, architecture and if dynamically loaded modules are enabled.
httpd -V and httpd -l (look for mod_so.c) provide this info.
- Make sure the Apache home page (if enabled) is accessible from the Windows client.
- Obtain the proper version of the Apache HTTP SSO plugin from the Centrify Customer Support Center.
Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Apache 2.2$ uname -aLinux cen3.corp.contoso.com 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux$ adinfo -vadinfo (CentrifyDC 5.2.0-218)$ adinfo -C | grep http
http/cen3.corp.contoso.comhttp/cen3$ dzdo service httpd statushttpd (pid 2811) is running...Server version: Apache/2.2.15 (Unix)Architecture: 64-bit$ httpd -l | grep mod_so.cmod_so.c
It looks like my server is running CentOS 6.x and Centrify 5.2; the SPN for HTTP is cen3.corp.contoso.com. As far as Apache goes it is a 64 bit Apache 2.2. Based on this information, I will download the package "DirectControl for Apache HTTP Server on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64" the version is 4.4.3 as of the original post in November 2014.
Unpack and install the SSO plugin
$ tar xzvf centrify-apache-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-apache-4.4.4-rhel3-x86_64.rpm
Preparing... ########################################### [100%]
1:CentrifyDC-apache ########################################### [100%]
Configuration of the Sample Application
Centrify provides a working sample app that can be used to see how to use the directives of the plugin. To enable it, just include the path to the corresponding config file in the /etc/httpd/conf/httpd.conf file. The sample app is in /usr/share/centrifydc/apache/samples and since I'm running Apache 2.2.x 64 bit, all I need to do is add this line
and restart the Web Server.
$ dzdo vi /etc/httpd/conf/httpd.conf
==>then 'G' to go to the end and 'o'' to insert a line
# Include of Centrify Samples
==>Then <ESC> wq! to save
$ dzdo service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
Verify that all is working as expected
- Sign-in to a Windows client that is a member of your AD Domain
- Clear your Kerberos ticket cache by opening a command line and typing "klist purge"
Current LogonId is 0:0x9bb0dDeleting all tickets:Ticket(s) purged!
- Open Internet Explorer and go to Internet Options > Security > Local Intranet > Sites > Advanced and make sure that your browser has the FQDN or the suffix of the SPN for HTTP registered by the server.
If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
- Go browse to http://<your-server>/samples. This will expose the Centrify Sample pages. Click on Kerberos. If everything is correct, you should be able to see output that looks like this:
- Now if you inspect your kerberos ticket cache, you'll something like this (truncated):
Current LogonId is 0:0x9bb0d
#0> Client: jerry.seinfeld @ CORP.CONTOSO.COM
Server: krbtgt/CORP.CONTOSO.COM @ CORP.CONTOSO.COM
#1> Client: jerry.seinfeld @ CORP.CONTOSO.COM
Server: HTTP/cen3.corp.contoso.com @ CORP.CONTOSO.COM
Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Jerry to access the Apache HTTP service on CEN3.
From a domain-joined computer, as it's configured by default, any valid AD user should have access. The directives to add to your Apache web sites is as follows:
AuthType CENTRIFYDC # This directive enables the Centrify Plugin for the Site.
EnableBasicAuth true # This directive enables Basic Auth (use only with SSL)
EnableNtlmAuth true # This directive enables NTLM authentication
EnableKerberosAuth true # This directive enables Kerberos authentication
Require valid-user # This directive controls authorization. Valid user is any AD authenticated user.
The require directive can be used for AD-based authorization, For example, if I want to only allow the members of the "Demo Users" AD group, the Require will look like this:
Require group "Demo Users"
Plugin in Action - phpPgAdmin
In this example, we'll use the Apache SSO Plugin to AD-enable the phpPgAdmin app. phpPgAdmin provides a web interface to manage PostgreSQL. To install it (e.g. in CentOS 6.x)
Add the repository
$ wget http://yum.postgresql.org/9.1/redhat/rhel-6.3-x86_64/pgdg-centos91-9.1-4.noarch.rpm
$ rpm -Uvh pgdg-centos91-9.1-4.noarch.rpm
Install the app
$ dzdo yum install phpPgAdmin
Configure the App to accept local connections
Edit the /etc/httpd/conf.d/phpPgAdmin.conf for example:
allow all from 10.0.0.0
Restart the Web Server
$ dzdo service centrifydc restart
Verify Access by browsing to your server in the /phpPgAdmin virtual directory:
To enable access with the Centrify plugin, just add the directives below inside the Location stanza of the /etc/httpd/conf.d/phpPgAdmin.conf file. In this case we are limiting access based on membership on the Demo Users AD group.
Require group "Demo Users"
Don't forget to restart the Apache Server!!!