Friday, November 14, 2014

Business Cases: Centrifying Apache HTTP Server to provide on premises AD-based SSO and Authorization


Apache is the de facto Web Server for many apps and organizations have  the challenge of providing access to enterprise users that are very likely coming with Active Directory credentials;  not an issue for Centrify customers because fortunately, every centrified Unix/Linux  system has a single, secure connection to AD.

This approach results in centralized administration, streamlined authentication, policy enforcement and role-based access controls (privileged management) and since the underlying technology simplified  AD connectivity by leveraging native features and topologies (sites and services, global catalogs, subnets, one-way or cross-forest trusts, DC telemetry and caching)

In order to extend these benefits to web apps, Centrify offers the Apache HTTP SSO plugin that natively extends the authentication mechanisms of Apache to provide SPNEGO via the GSSAPI; the result is having the capability of Windows Integrated Authentication in UNIX/Linux-based Apache servers.

Translation: SSO via Kerberos or NTLM, authorization based on AD principals and the exposure of AD-attributes via native Apache APIs.  This post covers how to install the Apache plugin on a centrified server, how to get the sample application up and running, and how to incorporate it to existing Apache sites (we'll use phpPgAdmin as an example).

What is SPNEGO?

SPNEGO stands for "simple and protected GSSAPI negotiation mechanism" microsoft likes to call it IWA (Integrated Windows Authentication) and basically enables the capability for a browser to negotiate the authentication mechanism based on capabilities.  If configured correctly, the browser will attempt to use Kerberos, downgrade to NTLM if not possible fall back to basic authentication.   This means that for any Authenticated AD session, provided the browser is configured correctly the user will get SSO, otherwise they will get challeged via NTLM.

What you'll need
  • A Centrified Unix/Linux system running Apache
    Joined to the domain either in zone or workstation mode.
  • Apache HTTP server running
    You need to know the version and architecture to obtain the right version.
  • A domain joined PC system to test access from an authenticated Windows system (or a centrified Mac) with a web browser (SPNEGO is not available on Safari)

Implementation Steps

Information gathering
  1. Collect the OS version, architecture, version of Centrify adclient and if an SPN for HTTP is registered
    uname -a, adinfo -v and adinfo -C | grep http provide that information
  2. Collect the service status, version, architecture and if dynamically loaded modules are enabled.
    httpd -V and httpd -l (look for mod_so.c) provide this info.
  3. Make sure the Apache home page (if enabled) is accessible from the Windows client.
  4. Obtain the proper version of the Apache HTTP SSO plugin from the Centrify Customer Support Center.
    Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Apache 2.2

    $ uname -a
    Linux 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
    $ adinfo -v
    adinfo (CentrifyDC 5.2.0-218)
    $ adinfo -C | grep http
    $ dzdo service httpd statushttpd (pid  2811) is running...
    $ httpd -V
    Server version: Apache/2.2.15 (Unix)
    Architecture:   64-bit
    $ httpd -l | grep mod_so.c

    It looks like my server is running CentOS 6.x and Centrify 5.2;  the SPN for HTTP is As far as Apache goes it is a 64 bit Apache 2.2.  Based on this information,  I will download the package "DirectControl for Apache HTTP Server on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64" the version is 4.4.3 as of the original post in November 2014.  


Unpack and install the SSO plugin
$ tar xzvf centrify-apache-4.4.4-rhel3-x86_64.tgz
The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.
$ dzdo rpm -Uvh centrifydc-apache-4.4.4-rhel3-x86_64.rpm
Preparing...                ########################################### [100%]
   1:CentrifyDC-apache      ########################################### [100%]

Configuration of the Sample Application

Centrify provides a working sample app that can be used to see how to use the directives of the plugin.  To enable it, just include the path to the corresponding config file in the /etc/httpd/conf/httpd.conf file.  The sample app is in /usr/share/centrifydc/apache/samples and since I'm running Apache 2.2.x 64 bit, all I need to do is add this line 

Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf
and restart the Web Server.

$ dzdo vi /etc/httpd/conf/httpd.conf    
==>then 'G' to go to the end and 'o'' to insert a line
# Include of Centrify Samples
Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf  
==>Then <ESC> wq! to save
$ dzdo service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Verify that all is working as expected

  1. Sign-in to a Windows client that is a member of your AD Domain
  2. Clear your Kerberos ticket cache by opening a command line and typing "klist purge"
    C:\Users\jerry.seinfeld>klist purge
    Current LogonId is 0:0x9bb0d
    Deleting all tickets:Ticket(s) purged!
  3. Open Internet Explorer and go to Internet Options > Security > Local Intranet > Sites > Advanced and make sure that your browser has the FQDN or the suffix of the SPN for HTTP registered by the server.
    If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
  4. Go browse to http://<your-server>/samples.  This will expose the Centrify Sample pages.  Click on Kerberos.  If everything is correct, you should be able to see output that looks like this:
  5. Now if you inspect your kerberos ticket cache, you'll something like this (truncated):
    Current LogonId is 0:0x9bb0d
    #0>     Client: jerry.seinfeld @ CORP.CONTOSO.COM
            Server: krbtgt/CORP.CONTOSO.COM @ CORP.CONTOSO.COM

    #1>     Client: jerry.seinfeld @ CORP.CONTOSO.COM
           Server: HTTP/ @ CORP.CONTOSO.COM
Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Jerry to access the Apache HTTP service on CEN3.

From a domain-joined computer, as it's configured by default, any valid AD user should have access. The directives to add to your Apache web sites is as follows:

 AuthType           CENTRIFYDC    # This directive enables the Centrify Plugin for the Site.
    EnableBasicAuth    true               # This directive enables Basic Auth (use only with SSL)
    EnableNtlmAuth     true               # This directive enables NTLM authentication
    EnableKerberosAuth true           # This directive enables Kerberos authentication
    Require            valid-user             # This directive controls authorization. Valid user is any AD authenticated user.

The require directive can be used for AD-based authorization, For example, if I want to only allow the members of the "Demo Users"  AD group, the Require will look like this:

Require group "Demo Users"

Plugin in Action - phpPgAdmin

In this example, we'll use the Apache SSO Plugin to AD-enable the phpPgAdmin app.  phpPgAdmin provides a web interface to manage PostgreSQL.  To install it  (e.g. in CentOS 6.x)

Add the repository
$ wget
$ rpm -Uvh pgdg-centos91-9.1-4.noarch.rpm

Install the app
$ dzdo yum install phpPgAdmin

Configure the App to accept local connections
Edit the /etc/httpd/conf.d/phpPgAdmin.conf for example:
allow all from

Restart the Web Server
$ dzdo service centrifydc restart

Verify Access by browsing to your server in the /phpPgAdmin virtual directory:

To enable access with the Centrify plugin, just add the directives below inside the Location stanza of the /etc/httpd/conf.d/phpPgAdmin.conf file.  In this case we are limiting access based on membership on the Demo Users AD group.

 AuthType           CENTRIFYDC  
    EnableBasicAuth    true              
    EnableNtlmAuth     true               
    EnableKerberosAuth true           
    Require group "Demo Users"

Don't forget to restart the Apache Server!!!

Video Playlist

(11 minutes, 30 seconds total)

No comments:

Post a Comment