Implementation of Apache single sign-on (SSO) in Active Directory environment

1. Experimental environment
Company deployment has Microsoft's Active Directory, assuming the domain name for wyd.com, a Web server, running on Red Hat enterpise Linux 5.5, the site originally only in the intranet access, now because of business development, need to publish to the Internet, So that sales and maintenance staff can access it through the Internet, but because the content of the site is related to business data, not to allow non-company personnel to visit freely.
2. Experimental purposes
In order to ensure data security, the need to do authentication on Apache, if the traditional Apache authentication mechanism will cause users trouble, because users want to enter an additional user name and password to log on to the site. The ideal way is toin the company intranet users do not have to enter the user name and password, you can directly log in; When you access from the Internet, you need to enter a username and password, and this account password is to login to the company domain account name and password。
3. Principle of realization
The Kerberos protocol is used when the user logs in to the Active Directory, so the Apache authentication method uses the Kerberos protocol, and the user logs in to the Active Directory and gets a Kerberos ticket that can be used to log on to Apache. If the user is not in the company intranet, login to Apache only need to enter the Active Directory username and password.
4. Implementation steps
A. Installation of Apache,php,mod_auth_kerb
PHP environment as required to install, Mod_auth_kerb is the Kerberos authentication module Apache, yum Warehouse can be configured to use Yum tools to install, you can also directly use the RPM command:
[Root@test ~]# yum install httpd php*
B. Configuring Kerberos
Using Vim to edit the/etc/krb5.conf file, which is configured with reference to the example.com domain, replace example.com all to their own domain name, note that Kerberos is case-sensitive and needs to be modified as follows:
[Libdefaults]
Default_realm = wyd.com
[Realms]
wyd.com = {
KDC = dc1.wyd.com:88
Default_domain = wyd.com
}
[Domain_realm]
test.wyd.com = wyd.com
wyd.com = wyd.com

Where test.wyd.com is the FQDN name of the Apache server and the value of the KDC is set to the DC in the domain.
After you set up Kerberos, you can verify that the configuration is correct, use the Kinit command, and the parameter is an account in AD
[Root@test ~] #kinit Bob@WYD.COM
Note the case, the command prompts you to enter a password, the command will not be prompted after the successful execution, you can use the Klist command to view the obtained Kerberos ticket
C. Creating HTTP service credentials for the test.wyd.com host
First you need to create an account in AD that maps the HTTP service, in this case Apache. Second, log in to the DC, use command-line tools ktpass to map the Apache account to http/test.wyd.com@wyd.com, and export the credentials to a keytab file. (The ktpass command needs to be installed in Support Tools), as follows:
C:/>ktpass-princ http/test.wyd.com@wyd.com-mapuser apache-crypto Rc4-hmac-nt-ptype krb5_nt_srv_hst-pass Wyd-out C:/apache.keytab
After the command is successfully executed, copy the C:/apache.keytab file to the Web server, ensuring that the Apache process has read access to the file.
D. Configuring httpd.conf to use Mod_auth_kerb modules for authentication
Alias/test/www/myweb
<Location/test>
AuthType Kerberos
AuthName "Kerberos Login"
Krbmethodnegotiate on
KRBMETHODK5PASSWD off
Krbauthrealms wyd.com
Krb5keytab/etc/httpd/apache.keytab
Krbservicename HTTP
Require Valid-user
</Location>
E. Configure IE browser
IE browser already supports Integrated Windows authentication by default, just add the site to the Local intranet zone. Note You cannot use an IP address when you access, you must use the FQDN name used in the previous ktpass command, this example is test.wyd.com
5, testing
In this, the experiment completes, the domain user accesses does not need to enter the password, does not have in the domain or does not login domain access simply enters the domain account password. You can use the following PHP code to test:
<?php
echo "You have log in as". $_server[' Remote_user ';
?>

Reference Document: http://www.grolmsnet.de/kerbtut/