Likewise Enterprise > single Sign-on for Apache Web Server



SSO - Using Likewise Enterprise for Single Sign-On with Apache Web Server

Likewise Enterprise lets you join Linux and Unix computers running the Apache HTTP Server to Microsoft Active Directory, yielding a range of benefits for users, system administrators, and managers.

Users get single sign-on: They log on once to a workstation that is authenticated through Active Directory and automatically receive Kerberos-based single sign-on for other computers and applications, including the Apache web server. System administrators rest easy with the knowledge that users accessing your intranet through HTTP are securely authenticated with Kerberos 5 and authorized for access to the resources on your Apache web server. Managers see their operational costs drop as their Linux and Unix computers running Apache are centrally managed within Active Directory. Security managers find help in their quest for regulatory compliance.

Integrated Windows Authentication

Integrated Windows Authentication was introduced with the Microsoft Windows 2000 operating system. It is based on the SPNEGO, Kerberos, and NTLMSSP protocols. The SPNEGO protocol is used between the web browser and the web server to negotiate the type of authentication that will be performed, usually either Kerberos or NTLMSSP. Kerberos is the preferred authentication mechanism. Both Kerberos and NTLMSSP are secure protocols that allow computers to authenticate a user over a non-secure channel. For web sites, this means that the Secure Socket Layer (SSL) protocol does not need to be enabled during the authentication phase.

Why use Integrated Windows Authentication?

Integrated Windows Authentication improves the overall security of a network because the user must log on by using his or her username and password only once. All subsequent accesses by that user to resources -- such as web sites, file systems, and network printers -- are automatically authenticated with cached security tokens. Using Integrated Windows Authentication has the benefit of a centralized user account database where information about all users is kept in Active Directory. This is more secure than duplicating user names and passwords in configuration files across various server computers, not to mention the management overhead of doing so.

Likewise Apache Authentication Architecture

The Likewise Apache Authentication architecture extends Integrated Windows Authentication to the Apache web server running on a Linux or Unix system. The authentication is implemented in a dynamically loaded Apache module: mod_auth_kerb_centeris. This module is based on a BSD licensed Apache module called mod_auth_kerb, but includes modifications so that it works with Likewise. An additional module - mod_auth_sys_group - is used to provide authorization limiting access to the web site to the domain users or groups that you specify. The mod_auth_kerb_centeris module implements the SPNEGO, Kerberos, and Basic Authentication protocols. In doing so, it provides the majority of the Integrated Windows Authentication functionality, with the exception of the NTLMSSP protocol. The module uses the SPNEGO protocol to negotiate whether Kerberos or Basic Authentication is used.

Overview of Setup Process

  1. Confirm that your components meet the requirements.
  2. Install the mod_auth_kerb_centeris and mod_auth_pam Apache authentication modules.
  3. Configure the main Apache server or Virtual Host to use SSL (optional).
  4. Generate a Kerberos keytab file for the Apache server.
  5. Configure the mod_auth_kerb_centeris.so and mod_auth_sys_group.so modules.

For More Information

Find out more about how to set up single sign-on for Apache by reading the following SSO single sign-on technical note: Configuring Apache Web Server For Single Sign-On with Likewise

Next > > Single Sign-On for ERP & Storage Applications



Free Trial of Likewise Enterprise