Windows Active Directory authentication and Apache — SPNEGO
Today I had the opportunity to look into how to get AD authentication to work on Apache running under Linux. The last time I looked must have been some time ago, because back then the answer was “not possible”.
To make a long story short, Kerberos authentication works with most modern browsers. You just need to configure both the web server and the browser to understand and use it. In effect this enables the SPNEGO, or “Negotiate”, protocol.
The catch with using SPNEGO is that you don’t want your browser automatically sending your credentials to just any web server out there.
- With IE, you must add the necessary servers to the “Intranet zone”.
- With Firefox, you must configure the trusted sites in a user
preference
pref("network.negotiate-auth.trusted-uris", site-list); pref("network.negotiate-auth.delegation-uris", site-list);
I would steer clear of using the delegation-uris option unless you really know what you are doing.
Configuring Apache requires a module which implements SPNEGO. This would be mod_auth_kerb. Debian provides this in libapache-mod-auth-kerb, other distros are bound to support it as well.