Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3318: QuickStart guide to setup the Centrify Apache HTTP SSO module.

12 April,16 at 11:08 AM

Applies to: Centrify DirectControl, Redhat and Debian based distributions

Question:

How to set up the Centrify Apache HTTP SSO module?

Answer:

The procedures are printed in centrify-apache-guide.pdf, which can be downloaded from the link below:
http://www.centrify.com/downloads/products/documentation/suite2013/centrify-apache-guide.pdf 


Here is a summary of the key steps.
  1. Install the Centrify DirectControl agent on the Unix/Linux host.
    This is a prerequisite for installing Centrify's Apache HTTP SSO module

  2. Install the Centrify Apache plug-in package.

    // With Debian based distribution
    root@sp007# tar -xzf centrify-apache-4.4.4-deb5-x86_64.tgz
    root@sp007# dpkg -i centrifydc-apache-4.4.4-deb5-x86_64.deb

    // With Redhat based distribution
    root@sp007# tar -xzf centrify-apache-4.4.4-rhel3-x86_64.tgz
    root@sp007# rpm -Uvh centrifydc-apache-4.4.4-rhel3-x86_64.rpm

  3. Verify Apache's version
    root@sp007# apache2 -v
    Server version: Apache/2.2.22 (Ubuntu)
    Server built:   Mar  8 2013 15:53:14

  4. Confirm whether the Unix/Linux is running 32 or 64 bit
    root@sp007# uname -m
    x86_64

  5. Make sure Centrify Apache SSO module's path exist:
    root@sp007# ls -l /usr/share/centrifydc/apache/lib

    Two key modules will be installed:
    - Active Directory authentication: mod_auth_centrifydc_xx
    - AD FS authentication: mod_adfs_centrifydc_xx
    Where xx is the Apache version number 20 (for 2.0), 22 (for 2.2) and 24 (for 2.4).

    The sample configuration file is also version-dependent. It has the following format:
    centrifyxx[_64].conf
    Where xx indicates the Apache version.
    If the file name contains _64, it indicates the version to be used on platforms with a 64-bit processor.

  6. Verify if Apache server supports dynamically loaded objects.
    Run command below and see if mod_so.c is listed
    root@sp007# apache2 -l
    Compiled in modules:
      core.c
      mod_log_config.c
      mod_logio.c
      mod_version.c
      worker.c
      http_core.c
      mod_so.c

  7. Include centrify.conf in /etc/apache2/httpd.conf. If this file does not appear, add it to /etc/apache2/apache2
    Edit the Apache server configuration file httpd.conf to include the DirectControl for Web Applications for Apache authentication module and sample applications directives.

    This example is running Apache 2.2 64-bit version.
    Include /usr/share/centrifydc/apache/samples/conf/centrify22_64.conf

  8. After the configuration, restart Apache
    root@sp007# /usr/sbin/apachectl restart

  9. In order to test Single-Sign-On, silent authentication need to be enabled on browser:

    • Configuring silent authentication in Firefox
    1. Open Firefox.
    2. Navigate to the URL: about:config
    3. Type neg in the Filter field.
    4. Select and right-click to modify: network.negotiate-auth.delegation-uris
      Enter a comma-separated list of partner URLs or domain names as string values, then click OK.
      For example, enter: http://test.virtual.local,https://test.virtual.local

      Note: For best security, be as restrictive as possible when specifying the list of trusted sites.
    5. Repeat for: network.negotiate-auth.trusted-uris

    • Configure silent authentication in Internet Explorer
    1. Open Internet Explorer and select Tools > Internet Options
    2. Click the Advanced tab.
    3. Scroll down to the Security settings.
    4. Check the Enable Integrated Windows Authentication box.
    5. Restart IE.

    • Add the Web Server to the Local Intranet Security Zone.
      If some users log on to Web applications using a fully-qualified path in the URL, they may need to modify the settings for the Local Intranet Security Zone in their Internet Explorer Web browser to enable silent authentication.
      To configure the local intranet security zone in Internet Explorer:
    1. Open Internet Explorer and select Tools > Internet Options
    2. Click the Security tab.
    3. Click the Local intranet icon.
    4. Click Sites.
    5. Click Advanced.
    6. Type the URL for the website to be made part of the local intranet, then click Add. 
      Wildcards can also be used in the site address, for example: *://*.virtual.local

  10. Try accessing Centrify's sample pages to verify the setup:
    http://test.virtual.local/samples

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-2359: How to configure a Kerberos based SSO solution in WebLogic & Oracles Http Server ( OHS) environment? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-3925: How to add Centrify parameter to a group policy articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-3145: How to configure Apache directives in Apache 2.4 articleKB-2471: Apache PAM access failure articleKB-8951: Centrify Product Naming Changes - July 2017 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD?