Configure Kerberos SSO on Moodle: KRB5KDC_ERR_PREAUTH_REQUIRED - apache

I'm trying to set up kerberos SSO in Moodle but I'm getting a error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25):
1) I've configured kerberos on Apache: installed kerberos, configured via /etc/krb5.cnf, and tested via kinit command getting right kerberos tickets. WORKS
2) I've created a virtual host in Apache with a folder with kerberos authentication for testing: create a keytab file, tested authentication through kerberos works in the testing virtual site. I get the LDAP REMOTE_USER info and passes the authentication, also kerberos traffic is generated (fetched kerberos traffic with wireshark). WORKS
3) Configured virtual host to use kerberos to authenticate to moodle: as shown in moodle documentation.
Moodle Kerberos SSO documentation
4) Configured moodle's LDAP auth plugin: login with an LDAP user works fine. WORKS
5) Configured NTLM options in moodle's ldap plugin: I've tested and it does generate kerberos authentication network traffic (fetched kerberos with wireshark). But I'm getting a KRB5KDC_ERR_PREAUTH_REQUIRED (25).
Moodle LDAP configuration (NTLM section):
Enable = yes
Subnetwork = 192.168.0.0/16
Authentication type = kerberos
Username format = (none)
My virtual host configuration for both sites (test folder and moodle folder) is:
<VirtualHost *:80>
# General
ServerAdmin myemail#domain.com
DocumentRoot /home/moodle/moodle
ServerName mymoodle.es
LogLevel debug
ErrorLog logs/testing-error.log
CustomLog logs/testing.log combined
<Location /krb_testing>
## Redes para las que se ofrece SSO
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/mymoodle.es#MYREALM.DOMAIN.ES
KrbAuthRealms MYREALM.DOMAIN.ES
Krb5KeyTab /etc/krb5.keytab
## Sin require valid-user no se produce la negociacion
require valid-user
</Location>
<Directory /home/moodle/moodle/auth/ldap/>
<Files ntlmsso_magic.php>
AuthName "Moodle"
AuthType Kerberos
KrbAuthRealms MYREALM.DOMAIN.ES
KrbServiceName HTTP/mymoodle.es#MYREALM.DOMAIN.ES
Krb5KeyTab /etc/krb5.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthoritative on
require valid-user
</Files>
</Directory>
</VirtualHost>
Apache version: Apache/2.2.15 (CentOS)
Moodle version: 2.4.7

Today i`ve the similar situation when i was configure SSO (Kerberos). I solved the issue when i set - KrbServiceName HTTP
you should replace KrbServiceName HTTP/mymoodle.es#MYREALM.DOMAIN.ES by KrbServiceName HTTP and then SSO will be work correct.

Related

How to use a custom login screen with Apache Kerberos Authentication

I have configured Apache for Kerberos Authentication using Windows 2012 Server. The configuration file from Apache is as follows:
<VirtualHost *:8090>
ServerName myapp.example.com
<Location />
AuthType Kerberos
AuthName "Kerberos Authentication"
KrbAuthRealms srv1.test.com
KrbServiceName HTTP/myapp.example.com#srv1.test.com
Krb5Keytab /etc/httpd/conf.d/http.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbSaveCredentials On
KrbVerifyKDC off
Require valid-user
</Location>
It shows a Kerberos Authentication login screen and I can logon correctly by providing the username and password.
The login screen shown is a Basic Authentication login screen. I am working on a Web Application that has its own security module built in Perl CGI that does authentication from Active Directory. Is it possible that the login screen shown by Apache Basic Authentication can be changed to use a custom login screen that is integrated in my Web Application? Are there any CPAN modules available so that I can integrate Kerberos Authentication in Perl CGI instead of doing it in Apache?

How to use LDAP Authentication with Grafana and Wamp for Single Sign On?

I am trying to add single sign on for grafana using LDAP, I have come across Grafana documentation for LDAP but I did not understand.
Can I get Single Sign On feature using LDAP?
If yes, Can somebody give me a step by step procedure to follow to setup single sign on using ldap and grafana.
Grafana Version : 5.2.1
OS: WINDOWS
Update 1
I have been able to configure LDAP with grafana. Now I'm trying to integrate LDAP with wamp for SSO. In apache error log file I'm getting this error
auth_ldap authenticate: user username authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax].
My apache config file.
<VirtualHost *:80>
ServerName localhost
RewriteEngine on
ErrorLog "logs/authproxy-error_log"
CustomLog "logs/authproxy-access_log" common
<Location "/grafana/">
LDAPReferrals off
AuthType Basic
AuthName GrafanaAuthProxy
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"
AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
AuthLDAPBindPassword "password"
AuthLDAPGroupAttributeIsDN off
Require ldap-filter ldapsettingshere
AuthLDAPMaxSubGroupDepth 1
RequestHeader unset Authorization
Require valid-user
</Location>
<Proxy *>
RewriteEngine On
RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
</Proxy>
RequestHeader unset Authorization
ProxyRequests Off
ProxyPass /grafana/ http://localhost:3000/
ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>
Update 2
Able to resolve the issue by changing the bindURL and bindDN.
I have been able to do SSO by following these steps.
Configuring LDAP with Grafana by following steps in grafana documentation
Disabling the grafana login page by using Apache’s auth work together with Grafana’s AuthProxy documenation
Integrating LDAP with Apache for reverse proxy authentication by modifying httpd.conf file as mentioned above
Disabled reverse proxy authentication pop up by passing username and password into the url in the script.
With these steps I have been able to get SSO functionality.

how to implement a multisite kerberos authentication using omd/thruk

Hi I'm trying to create an omd (www.omdistro) multisite configuration which allows Single Sign On, I'm trying to do this using kerberos.
I have already configured system apache to use kerberos authentication on some directory and it seems to work, I tried to apply same kerberos settings to apache :
LoadModule auth_kerb_module /usr/lib/apache2/modules/mod_auth_kerb.so
into directory object :
Options FollowSymLinks
AllowOverride None
Order allow,deny
allow from all
AuthType Kerberos
AuthName <mine_auth_name>
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms <mine_realm>
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
KrbVerifyKDC off
Require valid-user
But :
in system apache configuration this produces a kerberos authentication
in omd apache not and thruk prompts me login form
Is there a way to disable the login form in thruk ?
I found a method that for now it works, I still have to try if I can play with users' permissions to limit what they can see.
For now, mine configuration, allows to everybody has a kerberos principal and performed on one site the authentication, to open all other sites.
First of all I disabled thruk cookie authentication that for some reason conflicts with kerberos one and shows you login form.
After that I loaded kerberos authentication module like described in my question, after that I discovered that there is a site.conf file in ${SITE_HOME}/etc/apache/conf.d/ that reading comments it is the one to modify globally site behavior, so I put in there the configurations about kerberos :
Omd site name is lab4
<Location "/lab4">
# put your extra site configs here
Options Indexes FollowSymLinks MultiViews
Order allow,deny
allow from all
AuthType Kerberos
AuthName <mine-realm>
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbAuthRealms <mine-realm>
KrbServiceName HTTP
Krb5Keytab /etc/apache2/http.keytab
KrbVerifyKDC off
Require valid-user
</Location>
I still have to test if I can use this configuration as a start to get a full functional user's access rules or not, I hope it could be useful.

Apache Reverse Proxy with Frontend and Backend Authentication

Here's the outcome I am trying to achieve:
Client browser (Chrome in my case) hits the Apache HTTPd server (server1) on 50070. The client browser has no access to Kerberos KDC and carries no Kerberos/GSS auth data.
Apache HTTPd has access to KDC and is configured to require Kerberos authentication, but with a password fallback (i.e. KrbMethodK5Passwd is On, so it accepts "Authorization: Basic" in HTTP headers).
Client browser prompts user for login and password thanks to the fallback option (as there's no Kerberos ticket offered by client). Apache HTTPd validates supplied login and password against Kerberos, and obtains the correct user principal Kerberos ticket and keeps that in memory (it also saves it to /tmp, thanks to KrbSaveCredentials option).
Apache HTTPd reverse-proxies to a backend server (server2), which also listens on port 50070. The backend server is running Jetty, which accepts Kerberos only, without any password/Basic authentication fallback - if there's no Kerberos ticket, there's no entry. Apache HTTPd sends the user principal Kerberos ticket obtained from KDC using login+pass to server2.
In my current configuration, points 1, 2 & 3 work successfully - i.e. the client to server1 authentication works correctly and I can see Apache saving the user principal ticket on server1 for a brief moment.
However, I'm having difficulty forcing Apache HTTPd to use the obtained user Kerberos ticket to authenticate with server2. Basically no authentication detail is sent at all to server2.
Here's my configuration:
<VirtualHost 1.2.3.4:50070>
ServerAlias server1.example.com:50070
ServerAlias server1:50070
ProxyPreserveHost Off
ProxyRequests Off
ProxyPass / http://server2.example.com:50070/ retry=0
ProxyPassReverse / http://server2.example.com:50070/ retry=0
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
ErrorLog logs/error_log
TransferLog logs/access_log
LogLevel debug
<Location />
Options None
AuthType Kerberos
AuthName "NameNode"
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/http.keytab
KrbSaveCredentials on
KrbLocalUserMapping on
Require valid-user
</Location>
</VirtualHost>
I have also tried using SetEnv proxy-chain-auth offered by mod_proxy_http, which I suppose works as designed, it does indeed send the exact content of "Authorization: Basic ..." header that client came to server1 with, onward to server2, but server2 does not support anything but Kerberos (i.e. "Authorization: Negotiate"), and complains about unknown auth method in its logs.
Is there a way to force Apache HTTPd to use the Kerberos ticket obtained from KDC, using the login and password provided by client browser, to then authenticate using Negotiate method (with ticket) with the target server2 I'm reverse proxying to?

How to login into Web App with kerberos/AD but still allow access to non AD users

I'm deploying a SSO in Apache webserver against an Active Directory via kerberos (mod_auth_kerb).
The module is installed and configured correctly, when I access apache websites with a logged in user to AD network, Apache receives correctly user's credentials via REMOTE_USER variable. The thing is that I want external users (non AD network ones) to be able to access Apache websites via regular login, but they get a
401 Authorization required
when accessing the websites.
I guess this can be achieved via kerberos configuration but haven't reached the solution. Does anyone know if this is posible with a kerberos location directive or should I configure some workaround for this, such as limiting location access by ip ranges in virtual host configuration Location directive?
My virtual host configuration is:
<VirtualHost *:80>
# General
ServerAdmin packettrc#my.es
DocumentRoot /home/moodle/moodle
ServerName my.es
LogLevel debug
ErrorLog logs/my.es-error.log
CustomLog logs/my.es.log combined
<Location />
AuthType Kerberos
AuthName "Kerberos Login MY"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP/my.es#MY.ES
KrbAuthRealms MY.ES
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
</VirtualHost>
Try to replace
Require valid-user
with
Satisfy Any
You can find some insights in this article. Just in case link to Apache's manual.