Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

6.2. mod_auth_kerb Example

This section contains instructions for a basic example for configuring Kerberos authentication with Red Hat JBoss Web Server's Apache HTTP Server and mod_auth_kerb on Red Hat Enterprise Linux.
Report a bug

6.2.1. mod_auth_kerb Example Prerequisites
Copy link

The following is a list of prerequisites for the working example. Ensure that all prerequisites are met before attempting to use the example instructions.
  • Install mod_auth_kerb on Red Hat Enterprise Linux.
  • Install curl with GSS-negotiated support.
  • Configure and run a Kerberos or LDAP server (for example ApacheDS) on the same host as your Red Hat JBoss Web Server.
  • Create the following LDAP users:
    • Create the user krbtgt: 
      dn: uid=krbtgt,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: KDC Service
sn: Service
uid: krbtgt
userPassword: secret
krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
    • Create the user ldap: 
      dn: uid=ldap,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
krb5PrincipalName: ldap/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
    • Create the user HTTP: 
      dn: uid=HTTP,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: HTTP
sn: Service
uid: HTTP
userPassword: secretpwd
krb5PrincipalName: HTTP/localhost@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
    • Create user hnelson (test user): 
      dn: uid=hnelson,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: krb5principal
objectClass: krb5kdcentry
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0
      Copy to Clipboard Toggle word wrap
Report a bug

6.2.2. Configure the Kerberos Client
Copy link

Use the following procedure to configure a Kerberos client for testing purposes:

Procedure 6.1. Configure the Kerberos Client

  1. Create the Kerberos Configuration File

    Create the krb5.conf configuration file in the /etc directory and add the following to the file: 
    [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.COM
  default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  dns_lookup_realm = false
  dns_lookup_kdc = false
  allow_weak_crypto = yes
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes  

[realms]
  EXAMPLE.COM = {
    kdc = localhost:60088
    admin_server = localhost:60088
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. Create a Key Tab

    Create a key tab in the /etc/httpd folder with the following contents: 
    # ktutil
ktutil: addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5
Password for HTTP/localhost@EXAMPLE.COM: secretpwd
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    0               HTTP/localhost@EXAMPLE.COM
ktutil: wkt krb5.keytab
ktutil: quit
    Copy to Clipboard Toggle word wrap
    As the root user, run the following commands to apply the correct group and permissions to the key tab: 
    # chgrp apache /etc/httpd/krb5.keytab
# chmod 640 /etc/httpd/krb5.keytab
    Copy to Clipboard Toggle word wrap

  3. Check the Hosts File

    Ensure that the following host configuration is included in the /etc/hosts file: 
    127.0.0.1 localhost
    Copy to Clipboard Toggle word wrap
Report a bug

6.2.3. Configure mod_auth_kerb
Copy link

Use the following procedure to configure mod_auth_kerb. As a prerequisite, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).

Procedure 6.2. Configure mod_auth_kerb

  • Create the auth_kerb.conf configuration file in the JWS_HOME/httpd/conf.d/ folder and add the following information to the file: 
    #
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
# 

LoadModule auth_kerb_module modules/mod_auth_kerb.so

<Location /kerberostest>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  KrbServiceName HTTP
  Krb5KeyTab /etc/httpd/krb5.keytab
  require valid-user
</Location>
    Copy to Clipboard Toggle word wrap
Report a bug

6.2.4. Test the Kerberos Authentication
Copy link

Use the following instructions to test the Kerberos authentication. As a prerequisite for this procedure, ensure that the Kerberos Client is configured (see Section 6.2.2, “Configure the Kerberos Client”).

Procedure 6.3. Test the Kerberos Authentication

  1. Create a Test Page

    Create a test page named auth_kerb_page.html in JWS_HOME/httpd/www/html/kerberostest/.

  2. Add the Contents of the Test Page

    Add the following contents to the test page (auth_kerb_page.html): 
    <html>
<body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>
    Copy to Clipboard Toggle word wrap

  3. Optional: Set Log Level

    Optionally, set the log level for debugging in JWS_HOME/httpd/conf/httpd.conf.

  4. Start httpd

    The the Installation Guide for details.

  5. Test Authentication

    Test the authentication as follows:
    1. Initiate Kerberos authentication for the test user hnelson: 
      $ kinit hnelson
      Copy to Clipboard Toggle word wrap
    2. View the details for the test user hnelson: 
      $ klist
      Copy to Clipboard Toggle word wrap
      A result similar to the following appears: 
      Ticket cache: FILE:/tmp/krb5cc_18602
Default principal: hnelson@EXAMPLE.COM

Valid starting     Expires            Service principal
06/03/13 14:21:13  06/04/13 14:21:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/10/13 14:21:13
      Copy to Clipboard Toggle word wrap

    3. Testing Apache HTTP Server Kerberos Authentication

      Test Apache HTTP Server Kerberos authentication as follows: 
      $ curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html
      Copy to Clipboard Toggle word wrap
      If working correctly, the following result appears: 
      <html>
<body>
    <h1>mod_auth_kerb successfully authenticated!</h1>
</body>
</html>
      Copy to Clipboard Toggle word wrap
See http://modauthkerb.sourceforge.net/ for more information about mod_auth_kerb.
Report a bug
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat