"Earl, Kevan C" <kevan.e...@astrazeneca.com> wrote in message news:3154febcfb92804da39a2560e17183760341f...@ukaprdembx02.rd.astrazeneca.net... > Hello, > > I'm after some advice on how to configure Kerberos v5 to authenticate > users from different Windows domains to the same Apache hosted > application. Is this possible? If so, is there a simple guide on what > needs to be done in order to achieve it that can be shared with me? > > I have Kerberos v5 installed with a Kerberos-capable version of Apache on > AIX 5.3. > I have had a keytab file generated in the Windows "EU" domain, and have > configured the server so the application authenticates users from the "EU" > domain. > > /etc/krb5.conf is similar to: > > [libdefaults] > default_realm = EU.COMPANY.NET > > [realms] > EU.COMPANY.NET = { > kdc = eudc01.eu.company.net > admin_server = eudc01.eu.company.net > default_domain = eu.company.net > } > > [domain_realm] > .svr_domain.company.net = EU.COMPANY.NET > svr_domain.company.net = EU.COMPANY.NET > > What do I need to do in order to also authenticate users from the > companies "US" domain, which is controlled by separate domain > controller(s), to the application? >
If the domains have a trust you son't need to do anything. If they don't have trust then you need to create a second keytab entry for the host in the US DC with a sceond DNS name. e.g. In the EU domain the server is server.eu.company.net with a key HTTP/server.eu.company....@eu.company.net in eudc01 and in the US domain the sever is server.us.company.net with a key HTTP/server.us.company....@us.company.net in usdc01. Merge both keys in one keytab for apache and configure the apache kerbereos module to accept all names (I think it is KrbServiceName Any in mod-auth-kerb) > Any help anyone can give me would be very greatfully received. > > Regards, > Kevan Earl > Regards Markus > > -------------------------------------------------------------------------- > AstraZeneca UK Limited is a company incorporated in England and Wales with > registered number: 03674842 and a registered office at 15 Stanhope Gate, > London W1K 1LN. > Confidentiality Notice: This message is private and may contain > confidential, proprietary and legally privileged information. If you have > received this message in error, please notify us and remove it from your > system and note that you must not copy, distribute or take any action in > reliance on it. Any unauthorised use or disclosure of the contents of this > message is not permitted and may be unlawful. > Disclaimer: Email messages may be subject to delays, interception, > non-delivery and unauthorised alterations. Therefore, information > expressed in this message is not given or endorsed by AstraZeneca UK > Limited unless otherwise notified by an authorised representative > independent of this message. No contractual relationship is created by > this message by any person unless specifically indicated by agreement in > writing other than email. > Monitoring: AstraZeneca UK Limited may monitor email traffic data and > content for the purposes of the prevention and detection of crime, > ensuring the security of our computer systems and checking Compliance with > our Code of Conduct and Policies. > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
