Installation and Maintenance

Basic Kerberos concepts

Configuration of Kerberos authentication for the Apache webserver can fail due to several issues, which sometimes are not too easy to troubleshoot. This document describes some of the background activities and configuration details to help with the setup and error diagnostics in different environments.
 
Single sign-on for ILIAS and Apache authentication con be tested in a two-layer approach:

  1. Apache authentication mechanisms
  2. ILIAS configuration to use Apache authentication
 
To reduce the complexity of the setup, a simple website containig only a phpinfo() command or evaluation of the Apache environment variables can be used to configure this layer. These results can be adopted for ILIAS configurations in a second step.

Part 1: Kerberos

The kerberos module for Apache provides two methods of authentication against the Kerberos database:

  • Kerberos passwords and
  • Kerberos negotiate.

The password method simply has the Kerberos service check a username/password combination against its database. The data is sent to the Kerberos server (unencrypted!). If authentication succeeds, the validated username can be accessed in the "Remote_User" environment varialbe and "Auth_Type" is set to "Basic".
This method is not really providing single-sign-on, but can be used for testing or external access for Kerberos user who can not use the negotioate method. Additional security measures are needed to protect the password transmission through public networks (e.g. ssl/TLS).



No comment has been posted yet.