On nodes intended for Fabasoft Folio Web Services, SPNEGO authentication for the Apache Web Server as an extension module is provided. SPNEGO authentication allows single sign on via Kerberos and Active Directory even from a Fabasoft Folio Web Client (similar and compatible to integrated login on the Microsoft platform).
Additionally, configure /etc/krb5.conf to use the Active Directory domain as Kerberos realm and its domain controller as Kerberos Key Distribution Centre.
To configure /etc/krb5.conf, perform the following steps:
The Kerberos authentication has been configured basically on the newly installed server.
For each Linux server running kerberized Fabasoft Folio Services, a distinct ADERPC key has to be exported.
To create an ADERPC key for Fabasoft Folio Backend Services, perform the following steps:
Now a Kerberos key needs to be transferred to the according Linux computer. To export the key from Active Directory, the ktpass utility is required.
Execute the following command:
ktpass -crypto <crypto-typ> -princ ADERPC/<fqdn>@<REALM> -ptype KRB5_NT_PRINCIPAL -mapuser <user account> -pass <password of the user account> -out <filename>
Possible crypto types:
Note:
Example:
ktpass -crypto DES-CBC-MD5 -princ ADERPC/fscbackend.sub.comp.com@SUB.COMP.COM -ptype KRB5_NT_PRINCIPAL -mapuser ADERPC-fscbackend -pass <your password> -out fscbackendADERPC.key
Via secure channel (e.g. using ssh) transfer the key file to the Linux server, where it needs to be imported in the Kerberos key tab as described in chapter 6.2 “Import of Keys on Linux Servers”.
Note:
For each machine intended for Fabasoft Folio Web Services as well as all nodes running Fabasoft Folio Web Management, a HTTP Kerberos key is required.
Perform the steps of chapter ”ADERPC Key Creation” and replace “ADERPC” with “HTTP”. Name the output file <hostname>HTTP.key, which would result in qavmlinuxrhelHTTP.key for our example host.
First create a subdirectory fabasoft in /etc. In the terminal type:
mkdir /etc/fabasoft.
Run the utility /usr/kerberos/sbin/ktutil.
Execute the following commands:
Note: The ownership and permissions of the file /etc/fabasoft/krb5.keytab need to be changed later on (user fscsrv, group fsc, permissions 0600). This can be done only after the basic Fabasoft Folio software packages have been installed as these packages will create all required users and groups. Do not create the user (or group) yourself!
See white paper “Installation of Fabasoft Folio Services on Linux”.
If one of the tests fails it is necessary to fix the problem before Fabasoft Folio is installed.
Execute the following command and enter the user’s password when prompted:
kinit <Microsoft Windows user>
If no error message is returned, view the ticket cache with the following command:
klist
Verify the output (the default principal must correspond to the provided user):
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <Microsoft Windows user>@<SUB.COMPANY.COM>
Valid startingExpiresService principal
11/15/04 09:16:36 11/16/04 19:16:38krbtgt/<SUB.COMPANY.COM>@<SUB.COMPANY.COM>
Issue the following command to acquire a ticket using the key in the Kerberos key tab file instead of an interactive password:
kinit –k –t /etc/fabasoft/krb5.keytab <principalname>
Example:
kinit –k –t /etc/fabasoft/krb5.keytab \
ADERPC/<hostname>.<sub.company.com>@<SUB.COMPANY.COM>
Note: ‘\’ denotes line continuation.
If no error message is returned, view the ticket cache with the following command:
klist
Verify the output (the default principal must correspond to the provided user):
Along the same lines, try the HTTP key.
kinit –k –t /etc/fabasoft/krb5.keytab \
HTTP/<hostname>.<sub.company.com>@<SUB.COMPANY.COM>
Note: ‘\’ denotes line continuation.
If no error message is returned, view the ticket cache with the following command:
klist
On any errors, please consult the extensive Kerberos documentation.
If no errors occur the installation and configuration of Kerberos has been successful.