SSO - Using PowerBroker Identity Services Enterprise Edition for Single Sign-On with Apache Web Server
PowerBroker Identity Services Enterprise Edition lets you join Linux and Unix computers running the
Apache HTTP Server to Microsoft Active Directory, yielding a range of
benefits for users, system administrators, and managers.
Users get single sign-on: They log on once to a workstation that is
authenticated through Active Directory and automatically receive Kerberos-based
single sign-on for other computers and applications, including the
Apache web server. System administrators rest easy with the knowledge
that users accessing your intranet through HTTP are securely
authenticated with Kerberos 5 and authorized for access to the resources
on your Apache web server. Managers see their operational costs drop as
their Linux and Unix computers running Apache are centrally managed
within Active Directory. Security managers find help in their quest for
regulatory compliance.
Integrated Windows Authentication
Integrated Windows Authentication was introduced with the Microsoft
Windows 2000 operating system. It is based on the SPNEGO, Kerberos,
and NTLMSSP protocols. The SPNEGO protocol is used between the
web browser and the web server to negotiate the type of authentication
that will be performed, usually either Kerberos or NTLMSSP. Kerberos is
the preferred authentication mechanism. Both Kerberos and NTLMSSP
are secure protocols that allow computers to authenticate a user over a
non-secure channel. For web sites, this means that the Secure Socket
Layer (SSL) protocol does not need to be enabled during the
authentication phase.
Why use Integrated Windows Authentication?
Integrated Windows Authentication improves the overall security of a
network because the user must log on by using his or her username and
password only once. All subsequent accesses by that user to resources --
such as web sites, file systems, and network printers -- are automatically
authenticated with cached security tokens. Using Integrated Windows
Authentication has the benefit of a centralized user account database
where information about all users is kept in Active Directory. This is more
secure than duplicating user names and passwords in configuration files
across various server computers, not to mention the management
overhead of doing so.
PowerBroker Identity Services Enterprise Edition Apache Authentication Architecture
The PowerBroker Identity Services Enterprise Edition Apache Authentication architecture extends Integrated
Windows Authentication to the Apache web server running on a Linux or
Unix system. The authentication is implemented in a dynamically loaded
Apache module: mod_auth_kerb_centeris. This module is based on
a BSD licensed Apache module called mod_auth_kerb, but includes
modifications so that it works with PowerBroker Identity Services Enterprise Edition.
An additional module - mod_auth_sys_group - is used to provide
authorization limiting access to the web site to the domain users or
groups that you specify.
The mod_auth_kerb_centeris module implements the SPNEGO,
Kerberos, and Basic Authentication protocols. In doing so, it provides the
majority of the Integrated Windows Authentication functionality, with the
exception of the NTLMSSP protocol. The module uses the SPNEGO
protocol to negotiate whether Kerberos or Basic Authentication is used.
Overview of Setup Process
- Confirm that your components meet the requirements.
- Install the
mod_auth_kerb_centeris and mod_auth_pam Apache authentication modules.
- Configure the main Apache server or Virtual Host to use SSL
(optional).
- Generate a Kerberos keytab file for the Apache server.
- Configure the
mod_auth_kerb_centeris.so and mod_auth_sys_group.so modules.
For More Information
Find out more about how to set up single sign-on for Apache by reading the following SSO single sign-on technical note: Configuring Apache Web Server
For Single Sign-On with PowerBroker Identity Services Enterprise Edition