Help setting up SSO with Kerberos and Active Directory

Help / Discuss
#1

Hello,

I’ve been trying to get SSO with kerberos working in our Active Directory environment. LDAPS works with groupmapping etc, but I guess I need some help now.

I tried nginx as reverse proxy with https://github.com/stnoonan/spnego-http-auth-nginx-module. I could access the wiki, I even saw the correct user being used in the logs, but automatic login was not working and I got java errors in the tomcat log. I’d have to recreate this setup to get logs because I switched to apache after that.

Then I tried (as I said) apache with mod_auth_kerb. I created a keytab file, modified krb5.config, set apache up according to http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HKerberosSSOAuthentication but it seemed that the user was not passed on since I could not see it in the tomcat logs, only that the “user is null”. The wiki and manual LDAP login worked.

I tried to set in the xwiki.cfg
xwiki.authentication.ldap.remoteUserParser=(.+)@(.+)
xwiki.authentication.ldap.remoteUserMapping.1=uid, also tried sAMAccountName here
and server.xml
tomcatAuthentication=“false”
but nothing really brought me closer to solving the problem.

What am I missing. Any help would be greatly appreciated. Thanks.

Johannes

#2

Not sure why you are talking about http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HKerberosSSOAuthentication since you example does not have anything to do with it (which is good).

So back to you example now, if manual login works you probably don’t need much on XWiki side.

So if mod_auth_kerb. is doing it’s job you should see in the LDAP debug log something like: “RemoteUser: toto@mydomain.com” or “RemoteUser: mydomain.com\toto” or some other format (that’s why you have to provide a regexp in the configuration) which is the REMOTE_USER that XWiki is supposed to receive from whatever is in front of and and parsed with “xwiki.authentication.ldap.remoteUserParser”.

If you don’t see it there is no much you can do at XWiki level. Sometimes bad authenticator module don’t properly set the HTTP REMOTE_USER and instead set a custom HTTP header that you can indicate in xwiki.authentication.ldap.httpHeader. I don’t have any experience with mod_auth_kerb sorry.

#3

I linked to that KerberosSSO page because it uses mod_auth_kerb as well. I did not use the jar-file below etc. Just wanted to say that I set up apache for kerberos in a similar way until the part with the authkerb.jar.

I’m struggeling to get the REMOTE_USER set with apache. Maybe someone has a working config and is willing to share some details.

#4

I figured it out. I had to add
RequestHeader set REMOTE_USER expr=%{REMOTE_USER}
to my apache config and now SSO works.

#5

Update: It’s a combination of setting the user in the Apache config
RequestHeader set MYREALMUSER expr=%{REMOTE_USER}
and using the same in
xwiki.authentication.ldap.httpHeader=MYREALMUSER
that works for me. If one of those settings is missing, SSO doesn’t work. There might be a more elegant solution out there, but I guess it works for me.

#6

This looks weird, I’m not an apache expert but seems to put the standard REMOTE_USER in a custom HTTP header. That would means something remove the REMOTE_USER in your setup.

#7

Of course it works with “set REMOTE_USER expr=%{REMOTE_USER}” as well.

This would probably explain the missing REMOTE_USER header: https://renaudmarti.net/posts/make-apache-proxy-remote-user-to-backend/

#8

OK that’s good to know. Thanks for the information :slight_smile: