Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

HOWTO: Install, configure and test the Centrify Apache HTTP SSO Module

11 April,19 at 11:49 AM

What you'll need

  • A Centrified Unix/Linux system running Apache
    Joined to the domain either in zone or workstation mode.
  • Apache HTTP server running
    You need to know the version and architecture to obtain the appropriate Centrify bits.
  • A domain joined PC system to test access from an authenticated Windows system (or a centrified Mac) with a web browser (SPNEGO is not available on Safari)

Implementation Steps

Information gathering

  1. Collect the OS version, architecture, version of Centrify adclient and if an SPN for HTTP is registered
    uname -a, adinfo -v and adinfo -C | grep http provide that information
  2. Collect the service status, version, architecture and if dynamically loaded modules are enabled.
    httpd -V and httpd -l (look for mod_so.c) provide this info.
  3. Make sure the Apache home page (if enabled) is accessible from the Windows client.
  4. Obtain the proper version of the Apache HTTP SSO plugin from the Centrify Customer Support Center.
    Based on the information from steps 1 and 2, you can select which package to download. For example, in my CentOS 6.x, 64bit, Apache 2.2

 

$ uname -a
Linux engcen8.centrifyimage.vms 2.6.32-504.el6.x86_64 #1 SMP Wed Oct 15 04:27:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ adinfo -v
adinfo (CentrifyDC 5.2.0-218)

$ adinfo -C | grep http
                           http/cen3.corp.contoso.com
                           http/cen3

$ dzdo service httpd status 
httpd (pid  2811) is running...

$ httpd -V
Server version: Apache/2.2.15 (Unix)
Architecture:   64-bit

$ httpd -l | grep mod_so.c
  mod_so.c

 
  It looks like my server is running CentOS 6.x and Centrify 5.2;  the SPN for HTTP is cen3.corp.contoso.com. As far as Apache goes it is a 64 bit Apache 2.2.  Based on this information,  I will download the package "DirectControl for Apache HTTP Server on RHEL 4, 5, 6, Fedora 14, 15, 16, 17 x86_64" the version is 4.4.3 as of the original post in November 2014.

 

Installation

 Unpack and install the SSO plugin

$ tar xzvf centrify-apache-4.4.4-rhel3-x86_64.tgz

The installation file on RHEL for this version is called centrifydc-apache-4.4.4-rhel3-x86_64.rpm, so perform a yum or rpm install.

$ dzdo rpm -Uvh centrifydc-apache-4.4.4-rhel3-x86_64.rpm

Preparing...                ########################################### [100%]

   1:CentrifyDC-apache      ########################################### [100%]

 

Configuration of the Sample Application

Centrify provides a working sample app that can be used to see how to use the directives of the plugin.  To enable it, just include the path to the corresponding config file in the /etc/httpd/conf/httpd.conf file.  The sample app is in /usr/share/centrifydc/apache/samples and since I'm running Apache 2.2.x 64 bit, all I need to do is add this line 

Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf

and restart the Web Server.

 

$ dzdo vi /etc/httpd/conf/httpd.conf    

==>then 'G' to go to the end and 'o'' to insert a line

# Include of Centrify Samples

Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf  

==>Then wq! to save

$ dzdo service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

 

Verify that all is working as expected

 

  1. Sign-in to a Windows client that is a member of your AD Domain
  2. Clear your Kerberos ticket cache by opening a command line and typing "klist purge"
    C:\Users\jerry.seinfeld>klist purge
    Current LogonId is 0:0x9bb0d
    Deleting all tickets:Ticket(s) purged!
  3. Open Internet Explorer and go to Internet Options > Security > Local Intranet > Sites > Advanced and make sure that your browser has the FQDN or the suffix of the SPN for HTTP registered by the server (or a wildcar like here).
    Internet Explorer - Local Intranet.jpg
    If using Firefox, go to about:config and search for network.automatic-ntlm-auth.trusted-uris, add the SPNs suffix or FQDN there.
  4. Go browse to http://{your-server}/samples.  This will expose the Centrify Sample pages.  Click on Kerberos.  If everything is correct, you should be able to see output that looks like this:
    Apache Sample App.jpg
  5. Now if you inspect your kerberos ticket cache, you'll something like this (truncated):
    C:\Users\jerry.seinfeld>klist
    Current LogonId is 0:0x9bb0d
    #0>     Client: jerry.seinfeld @ CORP.CONTOSO.COM
            Server: krbtgt/CORP.CONTOSO.COM @ CORP.CONTOSO.COM

    #1>     Client: jerry.seinfeld @ CORP.CONTOSO.COM
           Server: HTTP/cen3.corp.contoso.com @ CORP.CONTOSO.COM

Ticket # 0 is a Kerberos TGT and #1 is a service ticket that was requested by Jerry to access the Apache HTTP service on CEN3.

 

From a domain-joined computer, as it's configured by default, any valid AD user should have access. The directives to add to your Apache web sites is as follows:

 

 AuthType           CENTRIFYDC    # This directive enables the Centrify Plugin for the Site.

    EnableBasicAuth    true               # This directive enables Basic Auth (use only with SSL)

    EnableNtlmAuth     true               # This directive enables NTLM authentication

    EnableKerberosAuth true           # This directive enables Kerberos authentication

    Require            valid-user             # This directive controls authorization. Valid user is any AD authenticated user.

 

The require directive can be used for AD-based authorization, For example, if I want to only allow the members of the "Demo Users"  AD group, the Require will look like this: 

Require group "Demo Users"

 

Plugin in Action - phpPgAdmin

In this example, we'll use the Apache SSO Plugin to AD-enable the phpPgAdmin app.  phpPgAdmin provides a web interface to manage PostgreSQL.  To install it  (e.g. in CentOS 6.x)

 

Add the repository

$ wget http://yum.postgresql.org/9.1/redhat/rhel-6.3-x86_64/pgdg-centos91-9.1-4.noarch.rpm

$ rpm -Uvh pgdg-centos91-9.1-4.noarch.rpm

 

Install the app

$ dzdo yum install phpPgAdmin

 

Configure the App to accept local connections

Edit the /etc/httpd/conf.d/phpPgAdmin.conf for example:

allow all from 10.0.0.0

 

Restart the Web Server

$ dzdo service centrifydc restart

 

Verify Access by browsing to your server in the /phpPgAdmin virtual directory:

 phpPgAdmin - Home.jpg

To enable access with the Centrify plugin, just add the directives below inside the Location stanza of the /etc/httpd/conf.d/phpPgAdmin.conf file.  In this case we are limiting access based on membership on the Demo Users AD group.

 

 AuthType           CENTRIFYDC  

    EnableBasicAuth    true              

    EnableNtlmAuth     true               

    EnableKerberosAuth true           

    Require group "Demo Users"


Don't forget to restart the Apache Server!!!

 

Video Playlist

(11 minutes, 30 seconds total)

Related Articles

 articleHOWTO: Install, configure and test the Centrify Java SSO Module articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS