Configuring Kerberos SSO Authentication on Windows Server
 |
Kerberos SSO integration is no longer supported. You can use OpenID
Connect (OAuth2) or SAML as alternative authentication methods.
|
Hosts
• Windows Domain Controller (Active Directory, AD/LDAP server): winssoad.winssodom.local.
• Codebeamer server (and Apache server) - joined to AD: win7000.winssodom.local.
• Windows client - joined to AD: host name not relevant.
Install Apache 2.2
Download and install httpd-2.2.25-win32-x86-openssl-0.9.8y.msi with typical settings on the machine hosting Codebeamer server. (Default installation folder C:\Program Files (x86)\Apache Software Foundation\Apache2.2).
|
|
The Kerberos module is created for specifically this installer.
|
Install Kerberos module for Apache
Download mod_auth_kerb.so and copy to folder C:\Program Files (x86)\Apache Software Foundation\Apache2.2\modules on the machine hosting Codebeamer server.
Install MIT Kerberos
You must download and install kfw-4.0.1-i386.msi with typical settings on the machine hosting Codebeamer server.
Create and install a Kerberos token (keytab)
• Create an account on AD server: cbssokerb.
• Create a keytab on AD server: open up a command prompt window and run the following command: ktpass -princ HTTP/win7000.winssodom.local@winssodom.local -mapuser cbssokerb -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass * -out c:\cbssokerb.keytab.
• Enter password for account cbssokerb.
• Copy the generated keytab file to Apache config folder: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab.
Configure MIT Kerberos
• Edit the file C:\ProgramData\MIT\Kerberos5\krb.ini and add the following text: [libdefaults] debug=true default_realm = WINSSODOM.LOCAL dns_lookup_kdc = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] WINSSODOM.LOCAL = { kdc = WINSSOAD.winssodom.local admin_server = WINSSOAD.winssodom.local default_domain = winssodom.local } [domain_realm] .winssodom.local = WINSSODOM.LOCAL [login] krb4_convert = true krb4_get_tickets = false.
Configure Apache
Edit the file C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\httpd.conig and, perform the following tasks:
• Enable the following standard modules (either copy/paste the following block, or uncomment them in their original locations, but ensure not loading them twice): #LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so #LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so #LoadModule ldap_module modules/mod_ldap.so #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so #LoadModule authz_default_module modules/mod_authz_default.so #LoadModule headers_module modules/mod_headers.so #LoadModule rewrite_module modules/mod_rewrite.so .
• Load the non-standard (currently installed) Kerberos module: LoadModule auth_kerb_module modules/mod_auth_kerb.so .
• Configure virtual host(s): <VirtualHost *:80> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests On ProxyPreserveHost On ProxyPass /cb http://localhost:8080/cb ProxyPassReverse /cb http://localhost:8080/cb ServerName win7000.winssodom.local <Location /cb> Order allow,deny Allow from all AuthType Kerberos KrbServiceName HTTP AuthName "Domain login" KrbAuthRealms WINSSODOM.LOCAL Krb5KeyTab "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab" require valid-user KrbLocalUserMapping On KrbMethodNegotiate On KrbMethodK5Passwd Off # Below directives puts logon name of authenticated user into http header X-User-Global-ID RequestHeader unset X-User-Global-ID RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule /cb.* - [E=RU:%1,L,NS] RequestHeader set X-User-Global-ID %{RU}e # Remove domain suffix to get the simple logon name RequestHeader edit X-User-Global-ID "@WINSSODOM.LOCAL$" "" </Location> </VirtualHost> .
Restart Apache server
Go to Windows Service Manager and restart Apache2.2 service.
Other Tasks
The following steps are similar as described in:
• Configure Codebeamer to use AD.
• Enabling SSO in Codebeamer System Administration.
• Enabling Kerberos Authentication in Client.
• Open Codebeamer with Kerberos SSO.
SSL
To serve Codebeamer over https, certificate generation is required for apache. This can be done with the bundled openssl with apache.
Enter the openssl.exe in the cli with the command: "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\openssl.exe".
Generate the certificate which is valid for a year:
req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privatekey.key -out certificate.crt -config "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\openssl.cnf".
Provide organization info if needed.
• Almost the same config as for HTTP but with additional certificate information, first 5 lines.
Listen 443
<VirtualHost *:443>
ServerName ap.winssodom.local
SSLEngine on
SSLCertificateFile c:\certificate.crt
SSLCertificateKeyFile c:\privatekey.ke
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests On
ProxyPreserveHost On
ProxyPass /cb http://localhost:8080/cb
ProxyPassReverse /cb http://localhost:8080/cb
ServerName ap.winssodom.local
<Location /cb>
Order allow,deny
Allow from all
AuthType Kerberos
KrbServiceName HTTP
AuthName "Domain login"
KrbAuthRealms WINSSODOM.LOCAL
Krb5KeyTab "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cbssokerb.keytab"
require valid-user
KrbLocalUserMapping On
KrbMethodNegotiate On
KrbMethodK5Passwd Off
# Below directives puts logon name of authenticated user into http header X-User-Global-ID
RequestHeader unset X-User-Global-ID
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule /cb.* - [E=RU:%1,L,NS]
RequestHeader set X-User-Global-ID %{RU}e
# Remove domain suffix to get the simple logon name
RequestHeader edit X-User-Global-ID "@WINSSODOM.LOCAL$" ""
</Location>
</VirtualHost>