Ok, so I wanted to do single sign-on on an Apache server which is running Nagios. I have been looking on google and always get patchy results when setting up kerberos AD-integration on apache, so I decided to try and put the solution that worked for me here.<\/p>\n\n\n\n
logon to “users and computers” on your active directory server and create a standard domain user. This users does not need to have any special permissions. <\/p>\n\n\n\n
My installation is on Centos 6.5 but im sure it will work on others.<\/p>\n\n\n\n
Install Apache module<\/p>\n\n\n\n
\n# yum install libapache2-mod-auth-kerb krb5-user\n<\/pre>\n\n\n\nCreate keytab-file<\/h2>\n\n\n\n
now you have to log on to the windows domain controller and generate a keytab file. As log as you have the windows support tools installed you should have no problems creating the file.<\/p>\n\n\n\n
C:\\>ktpass -in C:\\Temp\\kerberos_hostname.keytab -princ HTTP\/<fqdn-cname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\\Temp\\kerberos_concatenated_hostnames.keytab<\/pre>\n\n\n\nreplace the following with your environment variables<\/p>\n\n\n\n
kerberos_hostname.keytab\nfqdn-cname-in-DNS@WINDOWSDOMAIN\nkerberosuser-AD-username@WINDOWSDOMAIN\nkerberosuser-AD-password\nkerberos_concatenated_hostnames.keytab<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
Set up keytab-file<\/h2>\n\n\n\n
using Winscp Copy over the file you have just generated from the domain controller, to the tmp folder in centos.<\/p>\n\n\n\n
copy over the file to it final location and set the permissions.<\/p>\n\n\n\n
#cp \/tmp\/kerbros.keytab \/etc\/kerbros.keytab\n#chmod 0644 \/etc\/kerbros.keytab<\/pre>\n\n\n\nSet-Up Apache <\/h2>\n\n\n\n
now we need to change the httpd configuration file for the virtual site you are running.<\/p>\n\n\n\n
add the following line to the configuration file.<\/p>\n\n\n\n
AuthType Kerberos\nAuthName \"Some Name\"\nKrbAuthRealms WINDOWSDOMAIN\nKrbServiceName HTTP\nKrb5Keytab \/path\/to\/keytab-file\nrequire valid-user<\/pre>\n","protected":false},"excerpt":{"rendered":"Ok, so I wanted to do single sign-on on an Apache server which is running Nagios. I have been looking on google and always get patchy results when setting up kerberos AD-integration on apache, so I decided to try and put the solution that worked for me here. Create Standard user in Active Directory logon to […]<\/p>\n","protected":false},"author":1,"featured_media":195,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[40,43,58,26],"tags":[55,56,57,59],"class_list":["post-110","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-nagios-monitoring","category-server-2012","category-uncategorized","tag-active-directory","tag-apache","tag-kerberos","tag-single-sign-on"],"yoast_head":"\n
Kerberos AD-integration for Single Sign-On in Apache<\/title>\n<meta name=\"description\" content=\"Kerberos AD-integration Active Directory Apache Single Sign On\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kerberos AD-integration for Single Sign-On in Apache\" \/>\n<meta property=\"og:description\" content=\"Kerberos AD-integration Active Directory Apache Single Sign On\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/\" \/>\n<meta property=\"og:site_name\" content=\"Ketan Desai\" \/>\n<meta property=\"article:published_time\" content=\"2015-05-19T20:15:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-22T16:40:04+00:00\" \/>\n<meta name=\"author\" content=\"Ketan Desai\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ketan Desai\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/\"},\"author\":{\"name\":\"Ketan Desai\",\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/#\\\/schema\\\/person\\\/76fbe7aaa79643c166c5c2475fc01424\"},\"headline\":\"Implementing Kerberos AD-integration for Single Sign-On in Apache\",\"datePublished\":\"2015-05-19T20:15:59+00:00\",\"dateModified\":\"2026-03-22T16:40:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/\"},\"wordCount\":212,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/#\\\/schema\\\/person\\\/76fbe7aaa79643c166c5c2475fc01424\"},\"image\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"keywords\":[\"Active Directory\",\"Apache\",\"Kerberos\",\"Single Sign On\"],\"articleSection\":[\"Linux\",\"Nagios\",\"Server 2012\",\"Uncategorized\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/\",\"url\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/\",\"name\":\"Kerberos AD-integration for Single Sign-On in Apache\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2015-05-19T20:15:59+00:00\",\"dateModified\":\"2026-03-22T16:40:04+00:00\",\"description\":\"Kerberos AD-integration Active Directory Apache Single Sign On\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/2015\\\/05\\\/19\\\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/ketandesai.co.uk\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Implementing Kerberos AD-integration for Single Sign-On in Apache\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/#website\",\"url\":\"https:\\\/\\\/ketandesai.co.uk\\\/\",\"name\":\"Ketan Desai\",\"description\":\"Anything IT\",\"publisher\":{\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/#\\\/schema\\\/person\\\/76fbe7aaa79643c166c5c2475fc01424\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/ketandesai.co.uk\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/ketandesai.co.uk\\\/#\\\/schema\\\/person\\\/76fbe7aaa79643c166c5c2475fc01424\",\"name\":\"Ketan Desai\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g\",\"caption\":\"Ketan Desai\"},\"logo\":{\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g\"},\"sameAs\":[\"http:\\\/\\\/staging.ketandesai.co.uk\"],\"url\":\"https:\\\/\\\/ketandesai.co.uk\\\/index.php\\\/author\\\/ketandesaiadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kerberos AD-integration for Single Sign-On in Apache","description":"Kerberos AD-integration Active Directory Apache Single Sign On","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/","og_locale":"en_GB","og_type":"article","og_title":"Kerberos AD-integration for Single Sign-On in Apache","og_description":"Kerberos AD-integration Active Directory Apache Single Sign On","og_url":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/","og_site_name":"Ketan Desai","article_published_time":"2015-05-19T20:15:59+00:00","article_modified_time":"2026-03-22T16:40:04+00:00","author":"Ketan Desai","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ketan Desai","Estimated reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#article","isPartOf":{"@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/"},"author":{"name":"Ketan Desai","@id":"https:\/\/ketandesai.co.uk\/#\/schema\/person\/76fbe7aaa79643c166c5c2475fc01424"},"headline":"Implementing Kerberos AD-integration for Single Sign-On in Apache","datePublished":"2015-05-19T20:15:59+00:00","dateModified":"2026-03-22T16:40:04+00:00","mainEntityOfPage":{"@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/"},"wordCount":212,"commentCount":0,"publisher":{"@id":"https:\/\/ketandesai.co.uk\/#\/schema\/person\/76fbe7aaa79643c166c5c2475fc01424"},"image":{"@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#primaryimage"},"thumbnailUrl":"","keywords":["Active Directory","Apache","Kerberos","Single Sign On"],"articleSection":["Linux","Nagios","Server 2012","Uncategorized"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/","url":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/","name":"Kerberos AD-integration for Single Sign-On in Apache","isPartOf":{"@id":"https:\/\/ketandesai.co.uk\/#website"},"primaryImageOfPage":{"@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#primaryimage"},"image":{"@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#primaryimage"},"thumbnailUrl":"","datePublished":"2015-05-19T20:15:59+00:00","dateModified":"2026-03-22T16:40:04+00:00","description":"Kerberos AD-integration Active Directory Apache Single Sign On","breadcrumb":{"@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/ketandesai.co.uk\/index.php\/2015\/05\/19\/implementing-kerberos-ad-integration-for-single-sign-on-in-apache\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ketandesai.co.uk\/"},{"@type":"ListItem","position":2,"name":"Implementing Kerberos AD-integration for Single Sign-On in Apache"}]},{"@type":"WebSite","@id":"https:\/\/ketandesai.co.uk\/#website","url":"https:\/\/ketandesai.co.uk\/","name":"Ketan Desai","description":"Anything IT","publisher":{"@id":"https:\/\/ketandesai.co.uk\/#\/schema\/person\/76fbe7aaa79643c166c5c2475fc01424"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ketandesai.co.uk\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/ketandesai.co.uk\/#\/schema\/person\/76fbe7aaa79643c166c5c2475fc01424","name":"Ketan Desai","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/secure.gravatar.com\/avatar\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g","caption":"Ketan Desai"},"logo":{"@id":"https:\/\/secure.gravatar.com\/avatar\/6587572e3884edb2f25ce127069b15f15da32278153bc9b4d2568156fcb6ec41?s=96&d=mm&r=g"},"sameAs":["http:\/\/staging.ketandesai.co.uk"],"url":"https:\/\/ketandesai.co.uk\/index.php\/author\/ketandesaiadmin\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/110","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=110"}],"version-history":[{"count":2,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions"}],"predecessor-version":[{"id":1056,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/110\/revisions\/1056"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ketandesai.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}